sphinxcontrib-spelling
sphinxcontrib-plantuml
sphinx_toolbox>=3.2.0
+six
\ No newline at end of file
- create keycloak namespace::
> kubectl create namespace keycloak
- > kubectl label namespace keycloak istio-injection=enabled
+ > kubectl label namespace keycloak istio-injection=disabled
Install Keycloak-Database
^^^^^^^^^^^^^^^^^^^^^^^^^
- Install keycloak::
- > helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml
+ > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml
The required Ingress entry and REALM will be provided by the ONAP "Platform"
component.
+
+- Create Ingress gateway entry for the keycloak web interface
+ using the configured Ingress <base-url> (here "simpledemo.onap.org")
+ as described in :ref:`oom_customize_overrides`
+
+ .. collapse:: keycloak-ingress.yaml
+
+ .. include:: ../../resources/yaml/keycloak-ingress.yaml
+ :code: yaml
+
+- Add the Ingress entry for Keycloak::
+
+ > kubectl -n keycloak apply -f keycloak-ingress.yaml
+
.. figure:: ../../resources/images/servicemesh/ServiceMesh.png
:align: center
-For external access we start to establish Authentication via Oauth2-proxy
-and Keycloak which will be completed in the coming release.
+For external access we propose to establish Authentication via Oauth2-proxy
+and Keycloak which is described in this document.
============== ====== ============ ==============
London 1.17.2 v0.6.2 19.0.3-legacy
Montreal 1.19.3 v1.0.0 19.0.3-legacy
- New Delhi 1.19.3 v1.0.0 19.0.3-legacy
+ New Delhi 1.19.3 v1.0.0 22.0.4
============== ====== ============ ==============
.. table:: OOM Software Requirements (optional)
--- /dev/null
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-80
+ rules:
+ Filters:
+ Request Redirect:
+ Port: 443
+ Scheme: https
+ Status Code: 301
+ Type: RequestRedirect
+ Matches:
+ Path:
+ Type: PathPrefix
+ Value: /auth
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-443
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: keycloak-keycloakx-http
+ port: 80
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /auth
-image:
- # The Keycloak image repository
- repository: quay.io/keycloak/keycloak
- # Overrides the Keycloak image tag whose default is the chart appVersion
- tag: "19.0.3-legacy"
-
-postgresql:
- # If `true`, the Postgresql dependency is enabled
- enabled: false
+---
+command:
+ - "/opt/keycloak/bin/kc.sh"
+ - "--verbose"
+ - "start"
+ - "--http-enabled=true"
+ - "--http-port=8080"
+ - "--hostname-strict=false"
+ - "--hostname-strict-https=false"
+ - "--spi-events-listener-jboss-logging-success-level=info"
+ - "--spi-events-listener-jboss-logging-error-level=warn"
extraEnv: |
- - name: KEYCLOAK_USER
+ - name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- - name: KEYCLOAK_PASSWORD
+ - name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- - name: DB_VENDOR
- value: postgres
- - name: DB_ADDR
- value: keycloak-db-postgresql
- - name: DB_PORT
- value: "5432"
- - name: DB_DATABASE
- value: keycloak
- - name: DB_USER
- value: dbusername
- - name: DB_PASSWORD_FILE
- value: /secrets/db-creds/password
+ - name: JAVA_OPTS_APPEND
+ value: >-
+ -XX:+UseContainerSupport
+ -XX:MaxRAMPercentage=50.0
+ -Djava.awt.headless=true
+ -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
- name: PROXY_ADDRESS_FORWARDING
value: "true"
-extraVolumeMounts: |
- - name: db-creds
- mountPath: /secrets/db-creds
- readOnly: true
+dbchecker:
+ enabled: true
-extraVolumes: |
- - name: db-creds
- secret:
- secretName: keycloak-db-postgresql
+database:
+ vendor: postgres
+ hostname: keycloak-db-postgresql
+ port: 5432
+ username: dbusername
+ password: dbpassword
+ database: keycloak
secrets:
admin-creds:
- annotations:
- my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
- password: secret
\ No newline at end of file
+ password: secret
apiVersion: v2
description: ONAP Active and Available Inventory
name: aai
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
apiVersion: v2
description: ONAP AAI resources
name: aai-resources
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
url: external-system
# application image
-image: onap/aai-resources:1.12.3
+image: onap/aai-resources:1.13.0
pullPolicy: Always
restartPolicy: Always
flavor: small
apiVersion: v2
description: ONAP Controller Design Studio (CDS)
name: cds
-version: 13.0.0
+version: 13.0.2
dependencies:
- name: common
- name: mariadb-galera
version: ~13.x-0
repository: '@local'
+ condition: global.mariadbGalera.localCluster
- name: cds-blueprints-processor
version: ~13.x-0
repository: 'file://components/cds-blueprints-processor'
nodePortPrefixExt: 304
persistence:
mountPath: /dockerdata-nfs
+ mariadbGalera: &mariadbGalera
+ # flag to enable the DB creation via mariadb-operator
+ useOperator: true
+ #This flag allows NBI to instantiate its own mariadb-galera cluster
+ #When changing it to "true", also set "globalCluster: false"
+ #as the dependency check will not work otherwise (Chart.yaml)
+ localCluster: true
+ globalCluster: false
+ service: mariadb-galera
+ internalPort: 3306
+ nameOverride: mariadb-galera
+ # (optional) if localCluster=false and an external secret is used set this variable
+ #userRootSecret: <secretName>
+
#################################################################
# Secrets metaconfig
serviceAccount:
nameOverride: *dbServer
- mariadbConfiguration: |-
- [client]
- port=3306
- socket=/opt/bitnami/mariadb/tmp/mysql.sock
- plugin_dir=/opt/bitnami/mariadb/plugin
-
- [mysqld]
- lower_case_table_names = 1
- default_storage_engine=InnoDB
- basedir=/opt/bitnami/mariadb
- datadir=/bitnami/mariadb/data
- plugin_dir=/opt/bitnami/mariadb/plugin
- tmpdir=/opt/bitnami/mariadb/tmp
- socket=/opt/bitnami/mariadb/tmp/mysql.sock
- pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid
- bind_address=0.0.0.0
-
- ## Character set
- collation_server=utf8_unicode_ci
- init_connect='SET NAMES utf8'
- character_set_server=utf8
-
- ## MyISAM
- key_buffer_size=32M
- myisam_recover_options=FORCE,BACKUP
-
- ## Safety
- skip_host_cache
- skip_name_resolve
- max_allowed_packet=16M
- max_connect_errors=1000000
- sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY
- sysdate_is_now=1
-
- ## Binary Logging
- log_bin=mysql-bin
- expire_logs_days=14
- # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql
- sync_binlog=0
- # Required for Galera
- binlog_format=row
-
- ## Caches and Limits
- tmp_table_size=32M
- max_heap_table_size=32M
- # Re-enabling as now works with Maria 10.1.2
- query_cache_type=1
- query_cache_limit=4M
- query_cache_size=256M
- max_connections=500
- thread_cache_size=50
- open_files_limit=65535
- table_definition_cache=4096
- table_open_cache=4096
-
- ## InnoDB
- innodb=FORCE
- innodb_strict_mode=1
- # Mandatory per https://github.com/codership/documentation/issues/25
- innodb_autoinc_lock_mode=2
- # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/
- innodb_doublewrite=1
- innodb_flush_method=O_DIRECT
- innodb_log_files_in_group=2
- innodb_log_file_size=128M
- innodb_flush_log_at_trx_commit=1
- innodb_file_per_table=1
- # 80% Memory is default reco.
- # Need to re-evaluate when DB size grows
- innodb_buffer_pool_size=2G
- innodb_file_format=Barracuda
-
- ## Logging
- log_error=/opt/bitnami/mariadb/logs/mysqld.log
- slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log
- log_queries_not_using_indexes=1
- slow_query_log=1
-
- ## SSL
- ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem
- # ssl_ca=/certs/ca.pem
- # ssl_cert=/certs/server-cert.pem
- # ssl_key=/certs/server-key.pem
-
- [galera]
- wsrep_on=ON
- wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so
- wsrep_sst_method=mariabackup
- wsrep_slave_threads=4
- wsrep_cluster_address=gcomm://
- wsrep_cluster_name=galera
- wsrep_sst_auth="root:"
- # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit
- innodb_flush_log_at_trx_commit=2
- # MYISAM REPLICATION SUPPORT #
- wsrep_replicate_myisam=ON
-
- [mariadb]
- plugin_load_add=auth_pam
-
- ## Data-at-Rest Encryption
- ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem
- # plugin_load_add=file_key_management
- # file_key_management_filename=/encryption/keyfile.enc
- # file_key_management_filekey=FILE:/encryption/keyfile.key
- # file_key_management_encryption_algorithm=AES_CTR
- # encrypt_binlog=ON
- # encrypt_tmp_files=ON
-
- ## InnoDB/XtraDB Encryption
- # innodb_encrypt_tables=ON
- # innodb_encrypt_temporary_tables=ON
- # innodb_encrypt_log=ON
- # innodb_encryption_threads=4
- # innodb_encryption_rotate_key_age=1
-
- ## Aria Encryption
- # aria_encrypt_tables=ON
- # encrypt_tmp_disk_tables=ON
-
cds-blueprints-processor:
enabled: true
config:
- containerPort: {{ default $port.plain_port $port.internal_plain_port }}
name: {{ $port.name }}-plain
{{- end }}
+{{- if $port.l4_protocol }}
+ protocol: {{ $port.l4_protocol }}
+{{- end }}
{{- end }}
{{- end -}}
security:
# comma-separated uri patterns which do not require authorization
- permit-uri: /actuator/**,/swagger-ui/**,/swagger-resources/**,/api-docs
+ permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs/**
auth:
username: ${CPS_USERNAME}
password: ${CPS_PASSWORD}
security:
# comma-separated uri patterns which do not require authorization
- permit-uri: /actuator/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs
+ permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs
auth:
username: ${DMI_PLUGIN_USERNAME}
password: ${DMI_PLUGIN_PASSWORD}
#============LICENSE_START========================================================
# ================================================================================
-# Copyright (c) 2020 J. F. Lucas. All rights reserved.
+# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "NewDelhi"
description: DCAE Microservices
name: dcaegen2-services
-version: 13.0.0
+version: 13.0.2
dependencies:
- name: common
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Copyright (c) 2024 J. F. Lucas. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "NewDelhi"
description: DCAE SNMPTrap Collector
name: dcae-snmptrap-collector
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.7
+image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8
pullPolicy: Always
# Log directory where logging sidecar should look for log files
dns_cache_ttl_seconds: 60
services_calls: {}
snmptrapd:
- version: '2.0.4'
+ version: '2.0.8'
title: ONAP SNMP Trap Receiver
sw_interval_in_seconds: 60
streams_publishes:
dmaap_info:
topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP
type: message_router
- aaf_password: null
- aaf_username: null
+ aaf_password: ""
+ aaf_username: ""
files:
runtime_base_dir: "/opt/app/snmptrap"
log_dir: logs
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "NewDelhi"
description: DCAE VES Collector
name: dcae-ves-collector
-version: 13.0.0
+version: 13.1.0
dependencies:
- name: common
--- /dev/null
+{{/*
+# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ include "common.kafkatopic" . }}
--- /dev/null
+{{/*
+# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ include "common.kafkauser" . }}
--- /dev/null
+{{/*
+# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
# Copyright (c) 2021-2022 Nokia. All rights reserved.
# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved.
# Copyright (c) 2022 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.3
+image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.4
pullPolicy: Always
# log directory where logging sidecar should look for log files
applicationEnv:
CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml'
LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true'
+ BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092'
+ JAAS_CONFIG:
+ externalSecret: true
+ externalSecretUid: '{{ include "common.name" . }}-ku'
+ key: sasl.jaas.config
+
+# Strimzi Kafka config
+kafkaUser:
+ acls:
+ - name: unauthenticated.VES_PNFREG_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.VES_NOTIFICATION_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_HEARTBEAT_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_OTHER_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_FAULT_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.VES_MEASUREMENT_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+ - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT
+ type: topic
+ patternType: literal
+ operations: [Write, DescribeConfigs]
+
+kafkaTopic:
+ - name: unauthenticated.VES_PNFREG_OUTPUT
+ strimziTopicName: unauthenticated.ves-pnfreg-output
+ - name: unauthenticated.VES_NOTIFICATION_OUTPUT
+ strimziTopicName: unauthenticated.ves-notification-output
+ - name: unauthenticated.SEC_HEARTBEAT_OUTPUT
+ strimziTopicName: unauthenticated.sec-heartbeat-output
+ - name: unauthenticated.SEC_OTHER_OUTPUT
+ strimziTopicName: unauthenticated.sec-other-output
+ - name: unauthenticated.SEC_FAULT_OUTPUT
+ strimziTopicName: unauthenticated.sec-fault-output
+ - name: unauthenticated.VES_MEASUREMENT_OUTPUT
+ strimziTopicName: unauthenticated.ves-measurment-output
+ - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT
+ strimziTopicName: unauthenticated.sec-3gpp-faultsupervision-output
+ - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT
+ strimziTopicName: unauthenticated.sec-3gpp-provisioning-output
+ - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT
+ strimziTopicName: unauthenticated.sec-3gpp-heartbeat-output
+ - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT
+ strimziTopicName: unauthenticated.sec-3gpp-performanceassurance-output
# initial application configuration
applicationConfig:
apiVersion: v2
description: ONAP platform components
name: platform
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: oom-cert-service
# limitations under the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-version: 13.0.0
+version: 13.0.1
description: ONAP Realm creation and configuration
name: keycloak-init
sources:
version: ~13.x-0
repository: '@local'
- name: onap-keycloak-config-cli
- version: 5.6.1
+ version: 5.10.0
repository: 'file://components/keycloak-config-cli'
name: onap-keycloak-config-cli
description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
home: https://github.com/adorsys/keycloak-config-cli
-version: 5.6.1
-appVersion: 5.6.1
+version: 5.10.0
+appVersion: 5.10.0
maintainers:
- name: jkroepke
email: joe@adorsys.de
image:
repository: adorsys/keycloak-config-cli
- tag: "{{ .Chart.AppVersion }}-19.0.3"
+ tag: "{{ .Chart.AppVersion }}-22.0.4"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
+++ /dev/null
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Deutsche Telekom
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.ingress" . }}
\ No newline at end of file
PORTAL_URL: "https://portal-ui.simpledemo.onap.org"
onap-keycloak-config-cli:
+ image:
+ pullSecrets:
+ - name: onap-docker-registry-key
#existingSecret: "keycloak-keycloakx-admin-creds"
env:
- KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/
+ KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/
KEYCLOAK_SSLVERIFY: "false"
KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
secrets:
KEYCLOAK_PASSWORD: secret
existingConfigSecret: "keycloak-config-cli-config-realms"
-ingress:
- service:
- - baseaddr: "keycloak-ui"
- name: "keycloak-http.keycloak.svc.cluster.local"
- path: "/auth"
- port: 80
- # If `true`, an Ingress is created
- enabled: false
- config:
- ssl: "redirect"
-
serviceAccount:
nameOverride: keycloak-init
roles:
apiVersion: v2
description: ONAP Policy
name: policy
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
- name: mariadb-galera
version: ~13.x-0
repository: '@local'
- condition: global.mariadb.localCluster
+ condition: global.mariadbGalera.localCluster
- name: policy-nexus
version: ~13.x-0
repository: 'file://components/policy-nexus'
# Global configuration defaults.
#################################################################
global:
- mariadb:
+ mariadbGalera:
+ # flag to enable the DB creation via mariadb-operator
+ useOperator: true
+ # if useOperator set to "true", set "enableServiceAccount to "false"
+ # as the SA is created by the Operator
+ enableServiceAccount: false
localCluster: true
# '&mariadbConfig' means we "store" the values for later use in the file
# with '*mariadbConfig' pointer.
service: &mariadbService
name: &policy-mariadb policy-mariadb
internalPort: 3306
+ nameOverride: *policy-mariadb
+ # (optional) if localCluster=false and an external secret is used set this variable
+ #userRootSecret: <secretName>
prometheusEnabled: false
postgres:
localCluster: false
- uid: db-root-password
name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password'
type: password
- externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}'
+ externalSecret: '{{ .Values.global.mariadbGalera.localCluster |
+ ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
+ ternary
+ ""
+ (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)
+ )
+ ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) |
+ ternary
+ .Values.global.mariadbGalera.userRootSecret
+ (include "common.mariadb.secret.rootPassSecretName"
+ (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)
+ )
+ ) }}'
password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}'
policy: generate
- uid: db-secret
someConfig: blah
mariadb-galera:
- # mariadb-galera.config and global.mariadb.config must be equals
+ # mariadb-galera.config and global.mariadbGalera.config must be equals
db:
user: policy-user
# password:
rootUser:
externalSecret: *dbRootPassSecretName
nameOverride: *policy-mariadb
- # mariadb-galera.service and global.mariadb.service must be equals
+ # mariadb-galera.service and global.mariadbGalera.service must be equals
service: *mariadbService
replicaCount: 1
mariadbOperator: