#. Update the CRD definition::
- > kubectl -n onap apply -f cmpv2-cert-provider/crds/cmpv2issuer.yaml
- #. Upgrade the component
+ > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
+ #. Upgrade the component::
+
+ > helm -n onap upgrade dev-platform oom/kubernetes/platform
#. Make sure that *cmpv2issuer* contains correct value for
*spec.updateEndpoint*. The value should be: *v1/certificate-update*.
If it's not, edit the resource::
so@so.onap.org|sdnc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdnc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'}
so@so.onap.org|so-apih|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30|{'mso-asdc-controller-svc', 'mso-bpmn-infra-svc', 'mso-catalog-db-adapter-svc', 'mso-openstack-adapter-svc', 'mso-request-db-adapter-svc', 'mso-sdnc-adapter-svc'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
so@so.onap.org|so-client|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30||mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'}
+so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
so@so.onap.org|so-vnfm-adapter|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-adapter', 'so-vnfm-adapter.onap'}|aaf_admin@osaaf.org|{'pkcs12'}
so@so.onap.org|so-vnfm-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-simulator', 'so-vnfm-simulator.onap'}|aaf_admin@osaaf.org|{'pkcs12'}
tester1@test.portal.onap.org|tester1|aaf|/||mailto:|org.onap.portal.test|root|30||@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
--- /dev/null
+server.port=9516
+{{ if ( include "common.needTLS" .) }}
+server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.client-auth=need
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
+
+server.servlet.context-path=/services/babel-service
+
+logging.config=${CONFIG_HOME}/logback.xml
+
+tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json
{{- if eq .Values.service.type "NodePort" }}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
{{- else }}
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
{{- end }}
selector:
#################################################################
# application image
-image: onap/babel:1.8.0
+image: onap/babel:1.9.1
flavor: small
flavorOverride: small
service:
type: NodePort
- portName: babel
+ portName: http
externalPort: 9516
internalPort: 9516
nodePort: 79
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
+{{ if ( include "common.needTLS" .) }}
aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
+{{ else }}
+aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
+aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
+aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
+{{ end }}
-{{ if .Values.global.config.basic.auth.enabled }}
+{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
+{{ if ( include "common.needTLS" .) }}
aai.truststore.filename={{ .Values.global.config.truststore.filename }}
aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
aai.keystore.filename={{ .Values.global.config.keystore.filename }}
aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-spring.profiles.active={{ .Values.config.profiles.active }}
+spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
+{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61649
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905
-dmaap.ribbon.transportType=https
+dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
+dmaap.ribbon.transportType={{ include "common.scheme" . }}
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.version.api.default={{ .Values.global.config.schema.version.api.default }}
schema.translator.list={{ .Values.global.config.schema.translator.list }}
-schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
+schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ .Values.global.config.schema.service.client }}
+schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+{{ if ( include "common.needTLS" .) }}
schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+{{ end }}
aperture.rdbmsname=aai_relational
-aperture.service.client={{ .Values.global.config.schema.service.client }}
+aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+
aperture.service.base.url=http://localhost:8457/aai/aperture
+{{ if ( include "common.needTLS" .) }}
aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }}
aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }}
aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+{{ end }}
aperture.service.timeout-in-milliseconds=300000
{{ end }}
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ - name: {{ include "common.namespace" . }}-docker-registry-key
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- /bin/bash
- - docker-entrypoint.sh
- - dataSnapshot.sh
+ - -c
+ - |
+ bash docker-entrypoint.sh dataSnapshot.sh ;
+ {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- /bin/bash
- - docker-entrypoint.sh
- - createDBSchema.sh
+ - -c
+ - |
+ bash docker-entrypoint.sh createDBSchema.sh ;
+ {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
{{ end }}
restartPolicy: Never
imagePullSecrets:
- - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ - name: {{ include "common.namespace" . }}-docker-registry-key
{{ end }}
command:
- /bin/bash
- -c
- - bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges
+ - |
+ bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
+ {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- /bin/bash
- - docker-entrypoint.sh
- - dataSnapshot.sh
+ - -c
+ - |
+ bash docker-entrypoint.sh dataSnapshot.sh ;
+ {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
{{- end}}
selector:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
- clusterIP: None
# Schema specific properties that include supported versions of api
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
+ # will be set to no-auth if tls is disabled
service:
client: one-way-ssl
# Specifies which translator to use if it has schema-service, then it will
version:
# Current version of the REST API
api:
- default: v21
+ default: v24
# Specifies which version the depth parameter is configurable
depth: v11
# List of all the supported versions of the API
- list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21
+ list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24
# Specifies from which version related link should appear
related:
link: v11
# application image
-image: onap/aai-graphadmin:1.8.0
+image: onap/aai-graphadmin:1.9.1
pullPolicy: Always
restartPolicy: Always
flavor: small
# Specify the profiles for the graphadmin microservice
profiles:
- active: "dmaap,one-way-ssl"
+ # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and
+ # serviceMesh.tls is set to tru
+ active: dmaap #,one-way-ssl"
# Specifies the timeout limit for the REST API requests
timeout:
service:
type: ClusterIP
# REST API port for the graphadmin microservice
- portName: aai-graphadmin-8449
+ portName: http
internalPort: 8449
- portName2: aai-graphadmin-5005
+ portName2: tcp-5005
internalPort2: 5005
terminationGracePeriodSeconds: 120
# Model Loader Distribution Client Configuration
*/}}
ml.distribution.ACTIVE_SERVER_TLS_AUTH=false
+{{ if ( include "common.needTLS" .) }}
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
-ml.distribution.CONSUMER_GROUP=aai-ml-group
-ml.distribution.CONSUMER_ID=aai-ml
-ml.distribution.ENVIRONMENT_NAME=AUTO
+ml.distribution.ASDC_USE_HTTPS=true
ml.distribution.KEYSTORE_PASSWORD=
ml.distribution.KEYSTORE_FILE=asdc-client.jks
ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
+{{ else }}
+ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
+ml.distribution.ASDC_USE_HTTPS=false
+{{ end }}
+ml.distribution.CONSUMER_GROUP=aai-ml-group
+ml.distribution.CONSUMER_ID=aai-ml
+ml.distribution.ENVIRONMENT_NAME=AUTO
ml.distribution.POLLING_INTERVAL=30
ml.distribution.POLLING_TIMEOUT=20
ml.distribution.USER=aai
ml.distribution.MSG_BUS_ADDRESSES=message-router.{{.Release.Namespace}}
# Model Loader AAI REST Client Configuration
+{{ if ( include "common.needTLS" .) }}
ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443
+ml.aai.KEYSTORE_FILE=aai-os-cert.p12
+ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
+{{ else }}
+ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:8080
+{{ end }}
ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/
ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/
ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images
-ml.aai.KEYSTORE_FILE=aai-os-cert.p12
-ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
+
ml.aai.AUTH_USER=ModelLoader
ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw
# Model Loader Babel REST Client Configuration\r
-ml.babel.BASE_URL=https://aai-babel.{{.Release.Namespace}}:9516
+ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
+{{ if ( include "common.needTLS" .) }}
ml.babel.KEYSTORE_FILE=babel-client-cert.p12
ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
ml.babel.TRUSTSTORE_FILE=tomcat_keystore
ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+{{ end }}
# application image
-image: onap/model-loader:1.8.0
+image: onap/model-loader:1.9.1
pullPolicy: Always
restartPolicy: Always
flavor: small
service:
type: NodePort
- portName: aai-modelloader
+ portName: http
externalPort: 8080
internalPort: 8080
nodePort: 10
- portName2: aai-modelloader-ssl
+ portName2: https
externalPort2: 8443
internalPort2: 8443
nodePort2: 29
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
+{{ if ( include "common.needTLS" .) }}
aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
+{{ else }}
+aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
+aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
+aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
+{{ end }}
{{ if .Values.global.config.basic.auth.enabled }}
aai.tools.enableBasicAuth=true
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
+{{ if ( include "common.needTLS" .) }}
aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
+{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
-spring.profiles.active={{ .Values.global.config.profiles.active }}
+spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8447
+{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905
-dmaap.ribbon.transportType=https
+dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
+dmaap.ribbon.transportType={{ include "common.scheme" . }}
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.version.api.default={{ .Values.global.config.schema.version.api.default }}
schema.translator.list={{ .Values.global.config.schema.translator.list }}
-schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
+schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
-schema.service.client={{ .Values.global.config.schema.service.client }}
+schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+{{ if ( include "common.needTLS" .) }}
schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
+{{ end }}
{{ if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
{{- end }}
migration:
enabled: false
+ aafEnabled: false
+
config:
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth #,keycloak
+ # aaf-auth profile will be automatically set if aaf enabled is set to true
+ active: production,dmaap #,aaf-auth
# Notification event specific properties
notification:
version:
# Current version of the REST API
api:
- default: v21
+ default: v24
# Specifies which version the depth parameter is configurable
depth: v11
# List of all the supported versions of the API
- list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21
+ list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24
# Specifies from which version related link should appear
related:
link: v11
chown -R 1000 {{ .Values.credsPath }}
# application image
-image: onap/aai-resources:1.8.2
+image: onap/aai-resources:1.9.1
pullPolicy: Always
restartPolicy: Always
flavor: small
service:
type: ClusterIP
- portName: aai-resources-8447
+ portName: http
internalPort: 8447
- portName2: aai-resources-5005
+ portName2: tcp-5005
internalPort2: 5005
terminationGracePeriodSeconds: 120
# ============LICENSE_END=========================================================
*/}}
+{{ if ( include "common.needTLS" .) }}
aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
+{{ else }}
+aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
+aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
+aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
+{{ end }}
-{{ if .Values.global.config.basic.auth.enabled }}
+{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
+{{ if ( include "common.needTLS" .) }}
aai.truststore.filename={{ .Values.global.config.truststore.filename }}
aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
aai.keystore.filename={{ .Values.global.config.keystore.filename }}
aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties
server.port=8452
+{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
schema.configuration.location=N/A
schema.source.name={{ .Values.global.config.schema.source.name }}
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
- {{- end}}
+ {{- end }}
selector:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
- clusterIP: None
version:
# Current version of the REST API
api:
- default: v23
+ default: v24
# Specifies which version the depth parameter is configurable
depth: v11
# List of all the supported versions of the API
- list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23
+ list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24
# Specifies from which version related link should appear
related:
link: v11
- aai_keystore
# application image
-image: onap/aai-schema-service:1.8.6
+image: onap/aai-schema-service:1.9.1
pullPolicy: Always
restartPolicy: Always
flavorOverride: small
service:
type: ClusterIP
- portName: aai-schema-service-8452
+ portName: http
internalPort: 8452
- portName2: aai-schema-service-5005
+ portName2: tcp-5005
internalPort2: 5005
ingress:
#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config
oxm.schemaServiceTranslatorList=config
# The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/
+{{ if ( include "common.needTLS" .) }}
oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/
oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD}
oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD}
-
+{{ else }}
+oxm.schemaServiceBaseUrl=http://<schema-service/config>/aai/schema-service/v1/
+{{ end }}
# Schema Service need this variable for the time being
*/}}
resources.hostname=aai
+{{ if ( include "common.needTLS" .) }}
resources.port=8443
resources.authType=SSL_BASIC
resources.basicAuthUserName=aai@aai.onap.org
resources.trust-store-password=${TRUSTSTORE_PASSWORD}
resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
resources.client-cert-password=${KEYSTORE_PASSWORD}
+{{ else }}
+resources.port=8080
+resources.authType=HTTP_NOAUTH
+{{ end }}
# limitations under the License.
server.port=8000
+{{ if ( include "common.needTLS" .) }}
server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
# and in the values.yaml change the internalPort to 9517
#
-spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy
+spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }}
portal.cadiFileLocation={{.Values.config.cadiFileLocation}}
searchservice.hostname={{.Values.global.searchData.serviceName}}
searchservice.port=9509
+{{ if ( include "common.needTLS" .) }}
searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
searchservice.client-cert-password=${KEYSTORE_PASSWORD}
searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
searchservice.truststore-password=${TRUSTSTORE_PASSWORD}
+{{ end }}
schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties
name: {{ include "common.name" . }}
spec:
initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if ( include "common.needTLS" .) }}
- command:
- sh
args:
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
- {{- end}}
+ name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }}
+ {{- end }}
selector:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
service:
type: NodePort
- portName: aai-sparky-be
+ portName: http
internalPort: 8000
nodePort: 20
# this could come from siteconfig.pl?
aai.config.nodename=AutomaticallyOverwritten
+{{ if ( include "common.needTLS" .) }}
aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
+{{else}}
+aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
+aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
+aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
+{{ end }}
-{{ if .Values.global.config.basic.auth.enabled }}
+{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
aai.tools.enableBasicAuth=true
aai.tools.username={{ .Values.global.config.basic.auth.username }}
aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
{{ end }}
+{{ if ( include "common.needTLS" .) }}
aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
+{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
aai.notificationEvent.default.status=UNPROCESSED
spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-
-spring.profiles.active={{ .Values.global.config.profiles.active }}
+spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
+spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
spring.jersey.application-path=${schema.uri.base.path}
#The max number of active threads in this pool
server.tomcat.max-threads=200
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8446
+{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
# JMS bind address host port
jms.bind.address=tcp://localhost:61647
-dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3905
-dmaap.ribbon.transportType=https
+dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
+dmaap.ribbon.transportType={{ include "common.scheme" . }}
# Schema related attributes for the oxm and edges
# Any additional schema related attributes should start with prefix schema
schema.version.api.default={{ .Values.global.config.schema.version.api.default }}
schema.translator.list={{ .Values.global.config.schema.translator.list }}
-schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
+schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
schema.service.nodes.endpoint=nodes?version=
schema.service.edges.endpoint=edgerules?version=
schema.service.versions.endpoint=versions
schema.service.custom.queries.endpoint=stored-queries
-schema.service.client={{ .Values.global.config.schema.service.client }}
+schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+{{ if ( include "common.needTLS" .) }}
schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD}
schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
+{{ end }}
- bash
- "-c"
- |
- set -x
- if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi
- until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done;
- bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh
+ set -x
+ if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi
+ {{- if (include "common.needTLS" .) }}
+ until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done;
+ bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh
+ {{- else }}
+ until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done;
+ bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ;
+ {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
+ {{- end }}
env:
- name: LOCAL_USER_ID
value: {{ .Values.global.config.userId | quote }}
{{if eq .Values.service.type "NodePort" -}}
- port: {{ .Values.service.internalPort }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
name: {{ .Values.service.portName2 }}
{{- else -}}
- port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
+ name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- port: {{ .Values.service.internalPort2 }}
name: {{ .Values.service.portName2 }}
- {{- end}}
+ {{- end }}
selector:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth #,keycloak
+ active: production,dmaap #,aaf-auth ,keycloak
# Notification event specific properties
notification:
version:
# Current version of the REST API
api:
- default: v21
+ default: v24
# Specifies which version the depth parameter is configurable
depth: v11
# List of all the supported versions of the API
- list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21
+ list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24
# Specifies from which version related link should appear
related:
link: v11
chown -R 1000 {{ .Values.credsPath }}
# application image
-image: onap/aai-traversal:1.8.0
+image: onap/aai-traversal:1.9.1
pullPolicy: Always
restartPolicy: Always
flavor: small
service:
type: ClusterIP
- portName: aai-traversal-8446
+ portName: http
internalPort: 8446
- portName2: aai-traversal-5005
+ portName2: tcp-5005
internalPort2: 5005
terminationGracePeriodSeconds: 120
#######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
log global
mode http
option httplog
+{{- if ( include "common.needTLS" .) }}
option ssl-hello-chk
+{{- end }}
option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
default-server init-addr none
# option dontlognull
timeout http-keep-alive 30000
+frontend IST_8080
+ mode http
+ bind 0.0.0.0:8080
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto http
+ reqadd X-Forwarded-Proto:\ http
+ reqadd X-Forwarded-Port:\ 8080
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
+
+ default_backend IST_Default_8447
+
+{{- if ( include "common.needTLS" .) }}
frontend IST_8443
mode http
bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
+{{- end }}
#######################
#ACLS FOR PORT 8446####
default_backend IST_Default_8447
-
#######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+{{- if ( include "common.needTLS" .) }}
server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
-
+{{- else }}
+ server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
+{{- end }}
#######################
# BACKEND 8446#########
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+{{- if ( include "common.needTLS" .) }}
server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
-
+{{- else }}
+ server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
+{{- end }}
{{- include "common.certInitializer.volumeMount" . | nindent 8 }}
ports:
- containerPort: {{ .Values.service.internalPort }}
+ - containerPort: {{ .Values.service.internalPlainPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
httpGet:
path: /aai/util/echo
- port: {{ .Values.service.internalPort }}
- scheme: HTTPS
+ port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ #scheme: HTTPS
+ scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}
httpHeaders:
- name: X-FromAppId
value: OOM_ReadinessCheck
heritage: {{ .Release.Service }}
spec:
ports:
- {{if eq .Values.service.type "NodePort" -}}
- - name: {{ .Values.service.portName }}
- port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
+ - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
+ port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }}
+ targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ {{- if eq .Values.service.type "NodePort" }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- {{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
- {{- end}}
+ {{- end }}
type: {{ .Values.service.type }}
selector:
app: {{ include "common.name" . }}
passwd: AAI
# Active spring profiles for the resources microservice
+ # aaf-auth profile will be automatically set if aaf enabled is set to true
profiles:
- active: production,dmaap,aaf-auth
+ active: production,dmaap #,aaf-auth
# Notification event specific properties
notification:
# Schema specific properties that include supported versions of api
schema:
# Specifies if the connection should be one way ssl, two way ssl or no auth
+ # will be set to no-auth if tls is disabled
service:
client: one-way-ssl
# Specifies which translator to use if it has schema-service, then it will make a rest request to schema service
version:
# Current version of the REST API
api:
- default: v23
+ default: v24
# Specifies which version the depth parameter is configurable
depth: v11
# List of all the supported versions of the API
- list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23
+ list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24
# Specifies from which version related link should appear
related:
link: v11
service:
type: NodePort
- portName: aai-ssl
+ portName: http
externalPort: 8443
internalPort: 8443
nodePort: 33
# POLICY hotfix - Note this must be temporary
# See https://jira.onap.org/browse/POLICY-510
aaiServiceClusterIp:
+ externalPlainPort: 80
+ internalPlainPort: 8080
+ nodeport: 33
ingress:
enabled: false
- baseaddr: "aai.api"
name: "aai"
port: 8443
- config:
- ssl: "redirect"
+ config:
+ ssl: "redirect"
resources:
small:
- name: serviceAccount
version: ~8.x-0
repository: '@local'
+ - name: certInitializer
+ version: ~8.x-0
+ repository: '@local'
+
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- command:
- sh
args:
value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }}
- name: CLUSTER_ID
value: {{ .Values.cluster.clusterName }}
+ - name: AAF_CREDSPATH
+ value: {{ .Values.certInitializer.credsPath }}
- name: CLUSTER_NODE_ID
valueFrom:
fieldRef:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
password: '{{ .Values.config.sdncDB.dbRootPass }}'
passwordPolicy: required
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+ nameOverride: cds-blueprints-processor-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: sdnc-cds
+ fqi: sdnc-cds@sdnc-cds.onap.org
+ public_fqdn: sdnc-cds.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.sdnc-cds
+ aaf_add_config: >
+ /opt/app/aaf_config/bin/agent.sh;
+ /opt/app/aaf_config/bin/agent.sh local showpass
+ {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+
#################################################################
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-blueprintsprocessor:1.1.5
+image: onap/ccsdk-blueprintsprocessor:1.2.0
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-commandexecutor:1.1.5
+image: onap/ccsdk-commandexecutor:1.2.0
pullPolicy: Always
# application configuration
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-py-executor:1.1.5
+image: onap/ccsdk-py-executor:1.2.0
pullPolicy: Always
# default number of instances
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-sdclistener:1.1.5
+image: onap/ccsdk-sdclistener:1.2.0
name: sdc-listener
pullPolicy: Always
{{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
# application image
-image: onap/ccsdk-cds-ui-server:1.1.5
+image: onap/ccsdk-cds-ui-server:1.2.0
pullPolicy: Always
# application configuration
print_usage ()
{
- echo "NAME"
- echo " Script to restore Cassandra database from Nuvo/Cain snapshot"
- echo "SYNOPSIS"
- echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]"
- echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name"
- echo "DESCRIPTION"
- echo " --base_db_dir, -b"
- echo " Location of running Cassandra database"
- echo " --snapshot_dir, -s"
- echo " Snapshot location of Cassandra database taken by Nuvo/Cain"
- echo " --keyspace, -k"
- echo " Name of the keyspace to restore"
- echo "EXAMPLE"
- echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567"
- exit
+ echo "NAME"
+ echo " Script to restore Cassandra database from Nuvo/Cain snapshot"
+ echo "SYNOPSIS"
+ echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]"
+ echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name"
+ echo "DESCRIPTION"
+ echo " --base_db_dir, -b"
+ echo " Location of running Cassandra database"
+ echo " --snapshot_dir, -s"
+ echo " Snapshot location of Cassandra database taken by Nuvo/Cain"
+ echo " --keyspace, -k"
+ echo " Name of the keyspace to restore"
+ echo "EXAMPLE"
+ echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567"
+ exit
}
if [ $# -eq 0 ]
then
- print_usage
+ print_usage
fi
while [ $# -gt 0 ]
shift
case $key in
- -h|--help)
- print_usage
- ;;
- -b|--base_db_dir)
- base_db_dir="$1"
- shift
- ;;
- -s|--snapshot_dir)
- ss_dir="$1"
- shift
- ;;
- -k|--keyspace)
- keyspace_name="$1"
- ;;
- -t|--tag)
- tag_name="$1"
- ;;
- --default)
- DEFAULT=YES
- shift
- ;;
- *)
- # unknown option
- ;;
+ -h|--help)
+ print_usage
+ ;;
+ -b|--base_db_dir)
+ base_db_dir="$1"
+ shift
+ ;;
+ -s|--snapshot_dir)
+ ss_dir="$1"
+ shift
+ ;;
+ -k|--keyspace)
+ keyspace_name="$1"
+ ;;
+ -t|--tag)
+ tag_name="$1"
+ ;;
+ --default)
+ DEFAULT=YES
+ shift
+ ;;
+ *)
+ # unknown option
+ ;;
esac
done
# Validate inputs
if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ]
then
- echo ""
- echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>"
- echo ""
- print_usage
+ echo ""
+ echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>"
+ echo ""
+ print_usage
fi
# Remove commit logs from current data dir
{{- $suffix := "set-tls-secret" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
spec:
+ backoffLimit: 20
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
containers:
- - name: create tls secret
+ - name: create-tls-secret
command:
- /ingress/onboard.sh
image: {{ include "repositoryGenerator.image.kubectl" . }}
configMap:
name: {{ include "common.fullname" . }}-ingress
defaultMode: 0777
+ restartPolicy: Never
{{- end}}
cd /opt/app/config/cache
for file in $(ls feed*); do
NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/')
- export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | cut -d '"' -f4)"
+ export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | grep -w "feedlog" | cut -d '"' -f4)"
export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)"
done
for file in $(ls drpub*); do
{{- $entry := dict }}
{{- $uid := tpl (default "" $secret.uid) $global }}
{{- $keys := keys $secret }}
- {{- range $key := (without $keys "annotations" "filePaths" )}}
+ {{- range $key := (without $keys "annotations" "filePaths" "envs" )}}
{{- $_ := set $entry $key (tpl (index $secret $key) $global) }}
{{- end }}
{{- if $secret.annotations }}
{{- $_ := set $entry "filePaths" $secret.filePaths }}
{{- end }}
{{- end }}
+ {{- if $secret.envs }}
+ {{- $envsCache := (list) }}
+ {{- range $env := $secret.envs }}
+ {{- $tplValue := tpl (default "" $env.value) $global }}
+ {{- $envsCache = append $envsCache (dict "name" $env.name "policy" $env.policy "value" $tplValue) }}
+ {{- end }}
+ {{- $_ := set $entry "envs" $envsCache }}
+ {{- end }}
{{- $realName := default (include "common.secret.genNameFast" (dict "global" $global "uid" $uid "name" $entry.name) ) $entry.externalSecret }}
{{- $_ := set $entry "realName" $realName }}
{{- $_ := set $secretCache $uid $entry }}
{{- end }}
{{- $_ := set $global.Values "_secretsCache" $secretCache }}
{{- end }}
+
{{- end -}}
{{/*
{{- end }}
{{- end -}}
+{{/*
+ generate needed scheme:
+ - https if needTLS
+ - http if not
+*/}}
+
+{{- define "common.scheme" -}}
+ {{- ternary "https" "http" (eq "true" (include "common.needTLS" .)) }}
+{{- end -}}
+
{{- define "common.port.buildCache" -}}
{{- $global := . }}
{{- if not $global.Values._DmaapDrNodePortsCache }}
{{- end -}}
{{- end -}}
{{- end -}}
+
+{{- define "common.serviceMesh.killSidecar" -}}
+{{- if (include "common.onServiceMesh" .) }}
+RCODE="$?";
+echo "*** script finished with exit code $RCODE" ;
+echo "*** killing service mesh sidecar" ;
+curl -sf -X POST http://127.0.0.1:15020/quitquitquit ;
+echo "" ;
+echo "*** exiting with script exit code" ;
+exit "$RCODE"
+{{- end }}
+{{- end -}}
{{/*
-# Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2018 Amdocs
+# Copyright © 2018,2021 Bell Canada
# Copyright © 2019 Samsung Electronics
# Copyright © 2019-2020 Orange
# Copyright © 2020 Bitnami
httpGet:
path: /metrics
port: metrics
- initialDelaySeconds: 30
- timeoutSeconds: 5
+ initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /metrics
port: metrics
- initialDelaySeconds: 5
- timeoutSeconds: 1
+ initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
-# Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2018 Amdocs
+# Copyright © 2018,2021 Bell Canada
# Copyright © 2019 Samsung Electronics
# Copyright © 2020 Bitnami, Orange
#
requests:
cpu: 0.5
memory: 256Mi
+ ## MariaDB Galera metrics container's liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 3
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 3
## MySQL Prometheus exporter service parameters
##
service:
#remove attional prefix and postfix
imageNameFinal=`echo "$imageName" | sed -e 's/^"//' -e 's/"$//' `
- #check if line contain Version as a subtag in lines if yes then call docker pull with version
+ #check if line contain Version as a subtag in lines if yes then call docker pull with version
if echo $line | grep -q $IMAGE_VERSION_TEXT ; then
echo docker pull "$imageNameWithVersion":"$imageNameFinal"
docker pull $imageNameWithVersion:$imageNameFinal &
usage() {
cat << ==usage
$0 [cluster_domain] [lb_ip] [helm_chart_args] ...
- [cluster_domain] Default value simpledemo.onap.org
- [lb_ip] Default value LoadBalancer IP
- [helm_chart_args] ... Optional arguments passed to helm install command
+ [cluster_domain] Default value simpledemo.onap.org
+ [lb_ip] Default value LoadBalancer IP
+ [helm_chart_args] ... Optional arguments passed to helm install command
$0 --help This message
$0 --info Display howto configure target machine
==usage
cat << ==infodeploy
Extra DNS server already deployed:
1. You can add the DNS server to the target machine using following commands:
- sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT
- sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT
- sudo sysctl -w net.ipv4.conf.all.route_localnet=1
- sudo sysctl -w net.ipv4.ip_forward=1
+ sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT
+ sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT
+ sudo sysctl -w net.ipv4.conf.all.route_localnet=1
+ sudo sysctl -w net.ipv4.ip_forward=1
2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine
==infodeploy
}
list_node_with_external_addrs()
{
- local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}')
- for worker in $WORKER_NODES; do
- local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }')
- local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }')
- if [ $internal_ip != $external_ip ]; then
- echo $external_ip
- break
- fi
- done
+ local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}')
+ for worker in $WORKER_NODES; do
+ local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }')
+ local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }')
+ if [ $internal_ip != $external_ip ]; then
+ echo $external_ip
+ break
+ fi
+ done
}
ingress_controller_ip() {
- local metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system)
- if [ -z $metal_ns ]; then
- echo $CLUSTER_IP
- else
- list_node_with_external_addrs
- fi
+ local metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system)
+ if [ -z $metal_ns ]; then
+ echo $CLUSTER_IP
+ else
+ list_node_with_external_addrs
+ fi
}
deploy() {
- local ingress_ip=$(ingress_controller_ip)
- initdir = $(pwd)
- cd $SPATH/bind9dns
- if [ $# -eq 0 ]; then
- local cl_domain="simpledemo.onap.org"
- else
- local cl_domain=$1
- shift
- fi
- if [ $# -ne 0 ]; then
- ingress_ip=$1
- shift
- fi
- helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@
- cd $initdir
- target_machine_notice_info
+ local ingress_ip=$(ingress_controller_ip)
+ initdir = $(pwd)
+ cd $SPATH/bind9dns
+ if [ $# -eq 0 ]; then
+ local cl_domain="simpledemo.onap.org"
+ else
+ local cl_domain=$1
+ shift
+ fi
+ if [ $# -ne 0 ]; then
+ ingress_ip=$1
+ shift
+ fi
+ helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@
+ cd $initdir
+ target_machine_notice_info
}
if [ $# -eq 1 ] && [ "$1" = "-h" ]; then
- usage
+ usage
elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then
- usage
+ usage
elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then
target_machine_notice_info
else
- deploy $@
+ deploy $@
fi
find_nodes_with_external_addrs()
{
- local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}')
- for worker in $WORKER_NODES; do
- local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }')
- local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }')
- if [ $internal_ip != $external_ip ]; then
- echo $external_ip
- fi
- done
+ local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}')
+ for worker in $WORKER_NODES; do
+ local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }')
+ local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }')
+ if [ $internal_ip != $external_ip ]; then
+ echo $external_ip
+ fi
+ done
}
generate_config_map()
}
generate_config_from_single_addr() {
- generate_config_map "$1 - $1"
+ generate_config_map "$1 - $1"
}
install_metallb() {
- kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/namespace.yaml
- kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/metallb.yaml
- # Only when install
- kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
+ kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/namespace.yaml
+ kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/metallb.yaml
+ # Only when install
+ kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
}
automatic_configuration() {
- install_metallb
- generate_config_from_single_addr $(find_nodes_with_external_addrs)
+ install_metallb
+ generate_config_from_single_addr $(find_nodes_with_external_addrs)
}
manual_configuration() {
- install_metallb
- generate_config_map $@
+ install_metallb
+ generate_config_map $@
}
if [ $# -eq 1 ] && [ "$1" = "-h" ]; then
- usage
+ usage
if [ $# -eq 1 ] && [ "$1" = "--help" ]; then
- usage
+ usage
elif [ $# -eq 0 ]; then
- automatic_configuration
+ automatic_configuration
else
- manual_configuration $@
+ manual_configuration $@
fi
password: '{{ .Values.config.appUserPassword }}'
passwordPolicy: generate
-image: onap/cps-temporal:0.0.1
+image: onap/cps-temporal:1.0.0
containerPort: &svc_port 8080
managementPort: &mgt_port 8081
virtualhost:
baseurl: "simpledemo.onap.org"
-image: onap/ncmp-dmi-plugin:0.0.1
+image: onap/ncmp-dmi-plugin:1.0.0
containerPort: &svc_port 8080
managementPort: &mgt_port 8081
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.components.bbs-event-processor:2.1.0
+image: onap/org.onap.dcaegen2.services.components.bbs-event-processor:2.1.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.datalakeadminui:1.1.0
+image: onap/org.onap.dcaegen2.services.datalakeadminui:1.1.1
# Log directory where logging sidecar should look for log files
# if absent, no sidecar will be deployed
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.heartbeat:2.2.0
+image: onap/org.onap.dcaegen2.services.heartbeat:2.3.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.0
+image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
tlsServer: true
enable_tls: true
+dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
+policies:
+ policyID: |
+ '["com.Config_KPIMS_CONFIG_POLICY"]'
+
# Dependencies
readinessCheck:
wait_for:
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.0
+image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.2
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.pmsh:1.3.1
+image: onap/org.onap.dcaegen2.services.pmsh:1.3.2
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.4
+image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.6
# Log directory where logging sidecar should look for log files
# if absent, no sidecar will be deployed
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.son-handler:2.1.3
+image: onap/org.onap.dcaegen2.services.son-handler:2.1.4
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# policyRelease: "onap"
# policyID: |
# '["onap.vfirewall.tca","onap.vdns.tca"]'
-# filter: |
-# '["DCAE.Config_vfirewall_.*"]'
+
aaiCreds:
user: DCAE
disableNfsProvisioner: true
# application image
-image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.4
+image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.5
default_k8s_location: central
# DCAE component images to be deployed via Cloudify Manager
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.platform.configbinding:2.5.3
+image: onap/org.onap.dcaegen2.platform.configbinding:2.5.4
pullPolicy: Always
# probe configuration parameters
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
value: {{ .Values.config.nifiJarsIndexURL }}
- name: NIFI_DCAE_DISTRIBUTOR_API_URL
value: {{ .Values.config.distributorAPIURL }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
cpu: 2
memory: 2Gi
unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-designtool
+ roles:
+ - read
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
- name : ONBOARDING_API_URL
value: {{ .Values.config.onboardingAPIURL }}
resources: {{ include "common.resources" . | nindent 12 }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
cpu: 2
memory: 2Gi
unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-distributor-api
+ roles:
+ - read
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
- mountPath: /www/data
name: genprocessor-data
readOnly: true
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: genprocessor-data
persistentVolumeClaim:
memory: 2Gi
unlimited: {}
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-genprocessor
+ roles:
+ - read
+
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
value: {{ include "common.namespace" . }}
- name: HELM_RELEASE
value: {{ include "common.release" . }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: {{ include "common.fullname" . }}-expected-components
configMap:
memory: 2Gi
unlimited: {}
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-healthcheck
+ roles:
+ - read
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "login") | indent 12 }}
- name: NIFI_REGISTRY_DB_PASS
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "password") | indent 12 }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: flow-storage
persistentVolumeClaim:
cpu: 2
memory: 2Gi
unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-nifi-registry
+ roles:
+ - read
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
value: "5432"
- name: PG_DB_NAME
value: dcae_onboarding_db
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
memory: 2Gi
unlimited: {}
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-onboarding-api
+ roles:
+ - read
+
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: serviceAccount
+ version: ~8.x-0
+ repository: '@local'
value: {{ .Values.config.bpResourcesCpuLimit }}
- name: BP_RESOURCES_MEMORY_LIMIT
value: {{ .Values.config.bpResourcesMemoryLimit }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
memory: 2Gi
unlimited: {}
+#Pods Service Account
+serviceAccount:
+ nameOverride: dcaemod-runtime-api
+ roles:
+ - read
+
last (right-most) file specified. For example, if both myvalues.yaml and override.yaml
contained a key called 'Test', the value set in override.yaml would take precedence:
- $ helm deploy demo ./onap --namespace onap -f openstack.yaml -f overrides.yaml
+ $ helm deploy demo ./onap --namespace onap -f openstack.yaml -f overrides.yaml
You can specify the '--set' flag multiple times. The priority will be given to the
last (right-most) set specified. For example, if both 'bar' and 'newbar' values are
set for a key called 'foo', the 'newbar' value would take precedence:
- $ helm deploy demo local/onap --namespace onap -f overrides.yaml --set log.enabled=false --set vid.enabled=false
+ $ helm deploy demo local/onap --namespace onap -f overrides.yaml --set log.enabled=false --set vid.enabled=false
Usage:
helm deploy [RELEASE] [CHART] [flags]
else
echo "release \"${RELEASE}-${subchart}\" deployed"
fi
- # Add annotation last-applied-configuration if set-last-applied flag is set
+ # Add annotation last-applied-configuration if set-last-applied flag is set
if [ "$SET_LAST_APPLIED" = "true" ]; then
helm get manifest "${RELEASE}-${subchart}" \
| kubectl apply set-last-applied --create-annotation -n onap -f - \
- > $LOG_FILE.log 2>&1
+ > $LOG_FILE.log 2>&1
fi
fi
- if [ "$DELAY" = "true" ]; then
- echo sleep 3m
- sleep 180
- fi
+ if [ "$DELAY" = "true" ]; then
+ echo sleep 3m
+ sleep 180
+ fi
else
array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}"))
n=${#array[*]}
# You can also set the CONSUL_LOCAL_CONFIG environemnt variable to pass some
# Consul configuration JSON without having to bind any volumes.
if [ -n "$CONSUL_LOCAL_CONFIG" ]; then
- echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json"
+ echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json"
fi
# If the user is trying to run Consul directly with some arguments, then
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_discovery:1.2.6
+image: onap/msb/msb_discovery:1.2.7
pullPolicy: Always
istioSidecar: true
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.2.7
+image: onap/msb/msb_apigateway:1.2.8
pullPolicy: Always
istioSidecar: true
# Application configuration defaults.
#################################################################
# application image
-image: onap/msb/msb_apigateway:1.2.7
+image: onap/msb/msb_apigateway:1.2.8
pullPolicy: Always
istioSidecar: true
"port": 6969,
"userName": "${RESTSERVER_USER}",
"password": "${RESTSERVER_PASSWORD}",
- "https": true
+ "https": true,
+ "prometheus": true
},
"pdpStatusParameters":{
"pdpGroup": "defaultGroup",
+++ /dev/null
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2018 Ericsson. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-{
- "javaProperties" : [
- ["javax.net.ssl.trustStore", "/opt/app/policy/apex-pdp/etc/ssl/policy-truststore"],
- ["javax.net.ssl.trustStorePassword", "${TRUSTSTORE_PASSWORD_BASE64}"]
- ],
- "engineServiceParameters": {
- "name": "MyApexEngine",
- "version": "0.0.1",
- "id": 45,
- "instanceCount": 4,
- "deploymentPort": 12345,
- "policyModelFileName": "examples/models/SampleDomain/SamplePolicyModelJAVASCRIPT.json",
- "engineParameters": {
- "executorParameters": {
- "JAVASCRIPT": {
- "parameterClassName": "org.onap.policy.apex.plugins.executor.javascript.JavascriptExecutorParameters"
- }
- }
- }
- },
- "eventOutputParameters": {
- "FirstProducer": {
- "carrierTechnologyParameters": {
- "carrierTechnology": "FILE",
- "parameters": {
- "standardIo": true
- }
- },
- "eventProtocolParameters": {
- "eventProtocol": "JSON"
- }
- }
- },
- "eventInputParameters": {
- "FirstConsumer": {
- "carrierTechnologyParameters": {
- "carrierTechnology": "FILE",
- "parameters": {
- "standardIo": true
- }
- },
- "eventProtocolParameters": {
- "eventProtocol": "JSON"
- }
- }
- }
-}
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-apex-pdp:2.5.2
+image: onap/policy-apex-pdp:2.6.0
pullPolicy: Always
# flag to enable debugging - application support required
"userName":"${RESTSERVER_USER}",
"password":"${RESTSERVER_PASSWORD}",
"https": true,
- "aaf": false
+ "aaf": false,
+ "prometheus": true
},
"databaseProviderParameters": {
"name": "PolicyProviderParameterGroup",
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-api:2.4.2
+image: onap/policy-api:2.5.0
pullPolicy: Always
# flag to enable debugging - application support required
# ============LICENSE_START=======================================================
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2020 AT&T Intellectual Property.
+# Modifications Copyright (C) 2021 Bell Canada. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
"port":6969,
"userName":"${RESTSERVER_USER}",
"password":"${RESTSERVER_PASSWORD}",
- "https":true
+ "https":true,
+ "prometheus": true
},
"receptionHandlerParameters":{
"SDCReceptionHandler":{
],
"consumerGroup": "policy-group",
"environmentName": "AUTO",
- "keystorePath": "null",
- "keystorePassword": "null",
+ "keyStorePath": "null",
+ "keyStorePassword": "null",
"activeserverTlsAuth": false,
"isFilterinEmptyResources": true,
"isUseHttpsWithDmaap": true
"parameterClassName":"org.onap.policy.distribution.forwarding.lifecycle.api.LifecycleApiForwarderParameters",
"parameters":{
"apiParameters": {
- "hostName": "policy-api",
- "port": 6969,
- "userName": "${API_USER}",
- "password": "${API_PASSWORD}"
- },
+ "clientName": "policy-api",
+ "hostname": "policy-api",
+ "port": 6969,
+ "userName": "${API_USER}",
+ "password": "${API_PASSWORD}",
+ "useHttps": true
+ },
"papParameters": {
- "hostName": "policy-pap",
- "port": 6969,
- "userName": "${PAP_USER}",
- "password": "${PAP_PASSWORD}"
+ "clientName": "policy-pap",
+ "hostname": "policy-pap",
+ "port": 6969,
+ "userName": "${PAP_USER}",
+ "password": "${PAP_PASSWORD}",
+ "useHttps": true
},
- "isHttps": true,
"deployPolicies": true
}
}
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-distribution:2.5.2
+image: onap/policy-distribution:2.6.0
pullPolicy: Always
# flag to enable debugging - application support required
{{/*
# Copyright © 2017-2018 Amdocs, Bell Canada.
# Modifications Copyright (C) 2018-2020 AT&T Intellectual Property.
+# Modifications Copyright (C) 2021 Bell Canada. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Relational (SQL) DB access
SQL_HOST={{ .Values.db.name }}
+SQL_PORT=3306
# AAF
AAF_NAMESPACE=org.onap.policy
AAF_HOST=aaf-locate.{{.Release.Namespace}}
+# HTTP Servers
+
+HTTP_SERVER_HTTPS=true
+PROMETHEUS=true
+
# PDP-D DMaaP configuration channel
PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION
# Open DMaaP
DMAAP_SERVERS=message-router
+DMAAP_HTTPS=true
# AAI
--- /dev/null
+#
+# ============LICENSE_START=======================================================
+# ONAP
+# ================================================================================
+# Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+#
+
+# system properties set within the application
+
+java.net.preferIPv4Stack=true
+
+# jmx
+
+com.sun.management.jmxremote.port=9991
+com.sun.management.jmxremote.authenticate=false
+com.sun.management.jmxremote.ssl=false
+
+# certs
+
+javax.net.ssl.trustStore=${envd:TRUSTSTORE:/opt/app/policy/etc/ssl/policy-truststore}
+javax.net.ssl.trustStorePassword=${envd:TRUSTSTORE_PASSWD}
+
+javax.net.ssl.keyStore=${envd:KEYSTORE}
+javax.net.ssl.keyStorePassword=${envd:KEYSTORE_PASSWD}
+
+# kie
+
+kie.maven.offline.force=${envd:REPOSITORY_OFFLINE:false}
+
+# symmetric key for sensitive configuration data
+
+engine.symm.key=${envd:SYMM_KEY}
<maxHistory>30</maxHistory>
<totalSizeCap>10GB</totalSizeCap>
</rollingPolicy>
- <filter class="org.onap.policy.drools.utils.logging.LoggerMarkerFilter$MetricLoggerMarkerFilter" />
+ <filter class="org.onap.policy.common.utils.logging.LoggerMarkerFilter$MetricLoggerMarkerFilter" />
<encoder>
<pattern>%X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n</pattern>
</encoder>
<maxHistory>30</maxHistory>
<totalSizeCap>10GB</totalSizeCap>
</rollingPolicy>
- <filter class="org.onap.policy.drools.utils.logging.LoggerMarkerFilter$TransactionLoggerMarkerFilter" />
+ <filter class="org.onap.policy.common.utils.logging.LoggerMarkerFilter$TransactionLoggerMarkerFilter" />
<encoder>
<pattern>%X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n</pattern>
</encoder>
</appender>
<appender name="MetricStdOut" class="ch.qos.logback.core.ConsoleAppender">
- <filter class="org.onap.policy.drools.utils.logging.LoggerMarkerFilter$MetricLoggerMarkerFilter" />
+ <filter class="org.onap.policy.common.utils.logging.LoggerMarkerFilter$MetricLoggerMarkerFilter" />
<encoder>
<pattern>%X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n</pattern>
</encoder>
</appender>
<appender name="TransactionStdOut" class="ch.qos.logback.core.ConsoleAppender">
- <filter class="org.onap.policy.drools.utils.logging.LoggerMarkerFilter$TransactionLoggerMarkerFilter" />
+ <filter class="org.onap.policy.common.utils.logging.LoggerMarkerFilter$TransactionLoggerMarkerFilter" />
<encoder>
<pattern>%X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n</pattern>
</encoder>
-# Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2017 Amdocs
+# Copyright © 2017, 2021 Bell Canada
# Modifications Copyright © 2018-2021 AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License");
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pdpd-cl:1.8.2
+image: onap/policy-pdpd-cl:1.9.0
pullPolicy: Always
# flag to enable debugging - application support required
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2019 Nordix Foundation.
+# Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
"userName":"${RESTSERVER_USER}",
"password":"${RESTSERVER_PASSWORD}",
"https": true,
- "aaf": false
+ "aaf": false,
+ "prometheus": true
},
"pdpParameters": {
"heartBeatMs": 120000,
"databasePassword": "${SQL_PASSWORD}",
"persistenceUnit": "PolicyMariaDb"
},
+ "savePdpStatisticsInDb": true,
"topicParameterGroup": {
"topicSources" : [{
"topic" : "POLICY-PDP-PAP",
"useHttps": true,
"fetchTimeout": 15000,
"topicCommInfrastructure" : "dmaap"
+ },
+ {
+ "topic" : "POLICY-HEARTBEAT",
+ "effectiveTopic": "POLICY-PDP-PAP",
+ "consumerGroup": "policy-pap",
+ "servers" : [ "message-router" ],
+ "useHttps": true,
+ "fetchTimeout": 15000,
+ "topicCommInfrastructure" : "dmaap"
}],
"topicSinks" : [{
"topic" : "POLICY-PDP-PAP",
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pap:2.4.2
+image: onap/policy-pap:2.5.0
pullPolicy: Always
# flag to enable debugging - application support required
"userName": "${RESTSERVER_USER}",
"password": "${RESTSERVER_PASSWORD}",
"https": true,
- "aaf": false
+ "aaf": false,
+ "prometheus": true
},
"policyApiParameters": {
- "host": "policy-api",
+ "hostname": "policy-api",
"port": 6969,
"userName": "${API_USER}",
"password": "${API_PASSWORD}",
- "https": true,
+ "useHttps": true,
"aaf": false
},
- "applicationPath": "/opt/app/policy/pdpx/apps",
+ "applicationParameters": {
+ "applicationPath": "/opt/app/policy/pdpx/apps"
+ },
"topicParameterGroup": {
"topicSources" : [{
"topic" : "POLICY-PDP-PAP",
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-xacml-pdp:2.4.2
+image: onap/policy-xacml-pdp:2.5.0
pullPolicy: Always
# flag to enable debugging - application support required
mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; };
-for db in support onap_sdk log migration operationshistory10 pooling policyadmin policyclamp operationshistory
+for db in migration pooling policyadmin policyclamp operationshistory
do
- mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};"
- mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;"
+ mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};"
+ mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;"
done
mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;"
--- /dev/null
+#!/bin/sh
+{{/*
+# Copyright (C) 2021 Nordix Foundation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB}
+/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade
+rc=$?
+/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report
+exit $rc
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018, 2020 AT&T Intellectual Property
+# Modifications Copyright (C) 2021 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
heritage: {{ .Release.Service }}
data:
-{{ tpl (.Files.Glob "resources/config/db.sh").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }}
{{/*
# Copyright © 2018 Amdocs, Bell Canada
# Modifications Copyright © 2020 AT&T Intellectual Property
+# Modifications Copyright (C) 2021 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- containers:
- name: {{ include "common.release" . }}-policy-galera-config
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: MYSQL_PORT
value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}"
resources:
+{{ include "common.resources" . }}
+ containers:
+ - name: {{ include "common.release" . }}-policy-galera-db-migrator
+ image: {{ .Values.repository }}/{{ .Values.dbmigrator.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: /dbcmd-config/db_migrator_policy_init.sh
+ name: {{ include "common.fullname" . }}-config
+ subPath: db_migrator_policy_init.sh
+ command:
+ - /bin/sh
+ args:
+ - -x
+ - /dbcmd-config/db_migrator_policy_init.sh
+ env:
+ - name: SQL_HOST
+ value: "{{ index .Values "mariadb-galera" "service" "name" }}"
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ - name: SQL_DB
+ value: {{ .Values.dbmigrator.schema }}
+ - name: POLICY_HOME
+ value: {{ .Values.dbmigrator.policy_home }}
+ resources:
{{ include "common.resources" . }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
items:
- key: db.sh
path: db.sh
+ - key: db_migrator_policy_init.sh
+ path: db_migrator_policy_init.sh
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
+# Modifications Copyright (C) 2021 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
mariadb:
image: mariadb:10.5.8
+dbmigrator:
+ image: onap/policy-db-migrator:2.3.0
+ schema: policyadmin
+ policy_home: "/opt/app/policy"
+
subChartsOnly:
enabled: true
# logging functions
mysql_log() {
- local type="$1"; shift
- printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
+ local type="$1"; shift
+ printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
}
mysql_note() {
- mysql_log Note "$@"
+ mysql_log Note "$@"
}
mysql_warn() {
- mysql_log Warn "$@" >&2
+ mysql_log Warn "$@" >&2
}
mysql_error() {
- mysql_log ERROR "$@" >&2
- exit 1
+ mysql_log ERROR "$@" >&2
+ exit 1
}
# usage: file_env VAR [DEFAULT]
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- mysql_error "Both $var and $fileVar are set (but are exclusive)"
- fi
- local val="$def"
- # val="${!var}"
- # val="$(< "${!fileVar}")"
- # eval replacement of the bashism equivalents above presents no security issue here
- # since var and fileVar variables contents are derived from the file_env() function arguments.
- # This method is only called inside this script with a limited number of possible values.
- if [ "${!var:-}" ]; then
- eval val=\$$var
- elif [ "${!fileVar:-}" ]; then
- val="$(< "$(eval echo "\$$fileVar")")"
- fi
- export "$var"="$val"
- unset "$fileVar"
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ mysql_error "Both $var and $fileVar are set (but are exclusive)"
+ fi
+ local val="$def"
+ # val="${!var}"
+ # val="$(< "${!fileVar}")"
+ # eval replacement of the bashism equivalents above presents no security issue here
+ # since var and fileVar variables contents are derived from the file_env() function arguments.
+ # This method is only called inside this script with a limited number of possible values.
+ if [ "${!var:-}" ]; then
+ eval val=\$$var
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "$(eval echo "\$$fileVar")")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
}
# check to see if this file is being run or sourced from another script
_is_sourced() {
- # https://unix.stackexchange.com/a/215279
- [ "${#FUNCNAME[@]}" -ge 2 ] \
- && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
- && [ "${FUNCNAME[1]}" = 'source' ]
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
# process initializer files, based on file extensions
docker_process_init_files() {
- # mysql here for backwards compatibility "${mysql[@]}"
- mysql=( docker_process_sql )
-
- echo
- local f
- for f; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- mysql_note "$0: running $f"
- "$f"
- else
- mysql_note "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;;
- *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
- *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
- *) mysql_warn "$0: ignoring $f" ;;
- esac
- echo
- done
+ # mysql here for backwards compatibility "${mysql[@]}"
+ mysql=( docker_process_sql )
+
+ echo
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ mysql_note "$0: running $f"
+ "$f"
+ else
+ mysql_note "$0: sourcing $f"
+ . "$f"
+ fi
+ ;;
+ *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;;
+ *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
+ *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
+ *) mysql_warn "$0: ignoring $f" ;;
+ esac
+ echo
+ done
}
mysql_check_config() {
- local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
- if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
- mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors"
- fi
+ local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
+ if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
+ mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors"
+ fi
}
# Fetch value from server config
# We use mysqld --verbose --help instead of my_print_defaults because the
# latter only show values present in config files, and not server defaults
mysql_get_config() {
- local conf="$1"; shift
- "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
- | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
- # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)"
+ local conf="$1"; shift
+ "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
+ | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
+ # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)"
}
# Do a temporary startup of the MySQL server, for init purposes
docker_temp_server_start() {
- "$@" --skip-networking --socket="${SOCKET}" &
- mysql_note "Waiting for server startup"
- local i
- for i in $(seq 30 -1 0); do
- # only use the root password if the database has already been initializaed
- # so that it won't try to fill in a password file when it hasn't been set yet
- extraArgs=""
- if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- extraArgs=${extraArgs}" --dont-use-mysql-root-password"
- fi
- if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then
- break
- fi
- sleep 1
- done
- if [ "$i" = 0 ]; then
- mysql_error "Unable to start server."
- fi
+ "$@" --skip-networking --socket="${SOCKET}" &
+ mysql_note "Waiting for server startup"
+ local i
+ for i in $(seq 30 -1 0); do
+ # only use the root password if the database has already been initializaed
+ # so that it won't try to fill in a password file when it hasn't been set yet
+ extraArgs=""
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ extraArgs=${extraArgs}" --dont-use-mysql-root-password"
+ fi
+ if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then
+ break
+ fi
+ sleep 1
+ done
+ if [ "$i" = 0 ]; then
+ mysql_error "Unable to start server."
+ fi
}
# Stop the server. When using a local socket file mysqladmin will block until
# the shutdown is complete.
docker_temp_server_stop() {
- if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
- mysql_error "Unable to shut down server."
- fi
+ if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
+ mysql_error "Unable to shut down server."
+ fi
}
# Verify that the minimally required password settings are set for new databases.
docker_verify_minimum_env() {
- if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
- mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')"
- fi
+ if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+ mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')"
+ fi
}
# creates folders for the database
# also ensures permission for user mysql of run as root
docker_create_db_directories() {
- local user; user="$(id -u)"
+ local user; user="$(id -u)"
- # TODO other directories that are used by default? like /var/lib/mysql-files
- # see https://github.com/docker-library/mysql/issues/562
- mkdir -p "$DATADIR"
+ # TODO other directories that are used by default? like /var/lib/mysql-files
+ # see https://github.com/docker-library/mysql/issues/562
+ mkdir -p "$DATADIR"
- if [ "$user" = "0" ]; then
- # this will cause less disk access than `chown -R`
- find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
- fi
+ if [ "$user" = "0" ]; then
+ # this will cause less disk access than `chown -R`
+ find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
+ fi
}
# initializes the database directory
docker_init_database_dir() {
- mysql_note "Initializing database files"
- installArgs=" --datadir=$DATADIR --rpm "
- if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
- # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
- # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
- # (this flag doesn't exist in 10.0 and below)
- installArgs=${installArgs}" --auth-root-authentication-method=normal"
- fi
- # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
- mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')"
- mysql_note "Database files initialized"
+ mysql_note "Initializing database files"
+ installArgs=" --datadir=$DATADIR --rpm "
+ if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
+ # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
+ # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
+ # (this flag doesn't exist in 10.0 and below)
+ installArgs=${installArgs}" --auth-root-authentication-method=normal"
+ fi
+ # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
+ mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')"
+ mysql_note "Database files initialized"
}
# Loads various settings that are used elsewhere in the script
# This should be called after mysql_check_config, but before any other functions
docker_setup_env() {
- # Get config
- declare -g DATADIR SOCKET
- DATADIR="$(mysql_get_config 'datadir' "$@")"
- SOCKET="$(mysql_get_config 'socket' "$@")"
-
- # Initialize values that might be stored in a file
- file_env 'MYSQL_ROOT_HOST' '%'
- file_env 'MYSQL_DATABASE'
- file_env 'MYSQL_USER'
- file_env 'MYSQL_PASSWORD'
- file_env 'MYSQL_ROOT_PASSWORD'
- file_env 'PORTAL_DB_TABLES'
-
- declare -g DATABASE_ALREADY_EXISTS
- if [ -d "$DATADIR/mysql" ]; then
- DATABASE_ALREADY_EXISTS='true'
- fi
+ # Get config
+ declare -g DATADIR SOCKET
+ DATADIR="$(mysql_get_config 'datadir' "$@")"
+ SOCKET="$(mysql_get_config 'socket' "$@")"
+
+ # Initialize values that might be stored in a file
+ file_env 'MYSQL_ROOT_HOST' '%'
+ file_env 'MYSQL_DATABASE'
+ file_env 'MYSQL_USER'
+ file_env 'MYSQL_PASSWORD'
+ file_env 'MYSQL_ROOT_PASSWORD'
+ file_env 'PORTAL_DB_TABLES'
+
+ declare -g DATABASE_ALREADY_EXISTS
+ if [ -d "$DATADIR/mysql" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
}
# Execute sql script, passed via stdin
# ie: docker_process_sql --database=mydb <<<'INSERT ...'
# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
docker_process_sql() {
- passfileArgs=""
- if [ '--dont-use-mysql-root-password' = "$1" ]; then
- passfileArgs=${passfileArgs}" $1"
- shift
- fi
- # args sent in can override this db, since they will be later in the command
- if [ -n "$MYSQL_DATABASE" ]; then
- set -- --database="$MYSQL_DATABASE" "$@"
- fi
-
- mysql --defaults-extra-file=<( _mysql_passfile ${passfileArgs}) --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
+ passfileArgs=""
+ if [ '--dont-use-mysql-root-password' = "$1" ]; then
+ passfileArgs=${passfileArgs}" $1"
+ shift
+ fi
+ # args sent in can override this db, since they will be later in the command
+ if [ -n "$MYSQL_DATABASE" ]; then
+ set -- --database="$MYSQL_DATABASE" "$@"
+ fi
+
+ mysql --defaults-extra-file=<( _mysql_passfile ${passfileArgs}) --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
}
# Initializes database with timezone info and root password, plus optional extra db/user
docker_setup_db() {
- # Load timezone info into database
- if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
- {
- # Aria in 10.4+ is slow due to "transactional" (crash safety)
- # https://jira.mariadb.org/browse/MDEV-23326
- # https://github.com/docker-library/mariadb/issues/262
- local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type )
- for table in "${tztables[@]}"; do
- echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;"
- done
-
- # sed is for https://bugs.mysql.com/bug.php?id=20545
- mysql_tzinfo_to_sql /usr/share/zoneinfo \
- | sed 's/Local time zone must be set--see zic manual page/FCTY/'
-
- for table in "${tztables[@]}"; do
- echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;"
- done
- } | docker_process_sql --dont-use-mysql-root-password --database=mysql
- # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
- fi
- # Generate random root password
- if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
- export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
- mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
- fi
- # Sets root password and creates root users for non-localhost hosts
- local rootCreate=
- # default root to listen for connections from anywhere
- if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
- # no, we don't care if read finds a terminating character in this heredoc
- # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
- read -r -d '' rootCreate <<-EOSQL || true
- CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
- GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
- EOSQL
- fi
-
- # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
- docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
- -- What's done in this file shouldn't be replicated
- -- or products like mysql-fabric won't work
- SET @@SESSION.SQL_LOG_BIN=0;
-
- DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
- SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
- -- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
- -- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
- DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
-
- GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
- FLUSH PRIVILEGES ;
- ${rootCreate}
- DROP DATABASE IF EXISTS test ;
- EOSQL
-
- # Creates a custom database and user if specified
- if [ -n "$MYSQL_DATABASE" ]; then
- mysql_note "Creating database ${MYSQL_DATABASE}"
- echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql
- fi
-
- if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
- mysql_note "Creating user ${MYSQL_USER}"
- echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql
-
- if [ -n "$MYSQL_DATABASE" ]; then
- mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
- echo "GRANT ALL ON \`$(echo $MYSQL_DATABASE | sed 's@_@\\_@g')\`.* TO '$MYSQL_USER'@'%' ;" | docker_process_sql --database=mysql
- fi
-
- echo "FLUSH PRIVILEGES ;" | docker_process_sql --database=mysql
- fi
+ # Load timezone info into database
+ if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
+ {
+ # Aria in 10.4+ is slow due to "transactional" (crash safety)
+ # https://jira.mariadb.org/browse/MDEV-23326
+ # https://github.com/docker-library/mariadb/issues/262
+ local tztables=( time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type )
+ for table in "${tztables[@]}"; do
+ echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=0 */;"
+ done
+
+ # sed is for https://bugs.mysql.com/bug.php?id=20545
+ mysql_tzinfo_to_sql /usr/share/zoneinfo \
+ | sed 's/Local time zone must be set--see zic manual page/FCTY/'
+
+ for table in "${tztables[@]}"; do
+ echo "/*!100400 ALTER TABLE $table TRANSACTIONAL=1 */;"
+ done
+ } | docker_process_sql --dont-use-mysql-root-password --database=mysql
+ # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
+ fi
+ # Generate random root password
+ if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
+ export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
+ mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
+ fi
+ # Sets root password and creates root users for non-localhost hosts
+ local rootCreate=
+ # default root to listen for connections from anywhere
+ if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
+ # no, we don't care if read finds a terminating character in this heredoc
+ # https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
+ read -r -d '' rootCreate <<-EOSQL || true
+ CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
+ GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
+EOSQL
+ fi
+
+ # tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
+ docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
+ -- What's done in this file shouldn't be replicated
+ -- or products like mysql-fabric won't work
+ SET @@SESSION.SQL_LOG_BIN=0;
+
+ DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
+ SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+ -- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
+ -- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
+ DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
+
+ GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
+ FLUSH PRIVILEGES ;
+ ${rootCreate}
+ DROP DATABASE IF EXISTS test ;
+EOSQL
+
+ # Creates a custom database and user if specified
+ if [ -n "$MYSQL_DATABASE" ]; then
+ mysql_note "Creating database ${MYSQL_DATABASE}"
+ echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql
+ fi
+
+ if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
+ mysql_note "Creating user ${MYSQL_USER}"
+ echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql
+
+ if [ -n "$MYSQL_DATABASE" ]; then
+ mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
+ echo "GRANT ALL ON \`$(echo $MYSQL_DATABASE | sed 's@_@\\_@g')\`.* TO '$MYSQL_USER'@'%' ;" | docker_process_sql --database=mysql
+ fi
+
+ echo "FLUSH PRIVILEGES ;" | docker_process_sql --database=mysql
+ fi
}
_mysql_passfile() {
- # echo the password to the "file" the client uses
- # the client command will use process substitution to create a file on the fly
- # ie: --defaults-extra-file=<( _mysql_passfile )
- if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
- cat <<-EOF
- [client]
- password="${MYSQL_ROOT_PASSWORD}"
- EOF
- fi
+ # echo the password to the "file" the client uses
+ # the client command will use process substitution to create a file on the fly
+ # ie: --defaults-extra-file=<( _mysql_passfile )
+ if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
+ cat <<-EOF
+ [client]
+ password="${MYSQL_ROOT_PASSWORD}"
+EOF
+ fi
}
# check arguments for an option that would cause mysqld to stop
# return true if there is one
_mysql_want_help() {
- local arg
- for arg; do
- case "$arg" in
- -'?'|--help|--print-defaults|-V|--version)
- return 0
- ;;
- esac
- done
- return 1
+ local arg
+ for arg; do
+ case "$arg" in
+ -'?'|--help|--print-defaults|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
}
_main() {
- # if command starts with an option, prepend mysqld
- if echo "$1" | grep '^-' >/dev/null; then
- set -- mysqld "$@"
- fi
-
- # skip setup if they aren't running mysqld or want an option that stops mysqld
- if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
- mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
-
- mysql_check_config "$@"
- # Load various environment variables
- docker_setup_env "$@"
- docker_create_db_directories
-
- # If container is started as root user, restart as dedicated mysql user
- if [ "$(id -u)" = "0" ]; then
- mysql_note "Switching to dedicated user 'mysql'"
- exec gosu mysql "$0" "$@"
- fi
-
- # there's no database, so it needs to be initialized
- if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- docker_verify_minimum_env
-
- # check dir permissions to reduce likelihood of half-initialized database
- ls /docker-entrypoint-initdb.d/ > /dev/null
-
- docker_init_database_dir "$@"
-
- mysql_note "Starting temporary server"
- docker_temp_server_start "$@"
- mysql_note "Temporary server started."
-
- docker_setup_db
- docker_process_init_files /docker-entrypoint-initdb.d/*
-
- for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g")
- do
- echo "Granting portal user ALL PRIVILEGES for table $i"
- echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
- done
-
- mysql_note "Stopping temporary server"
- docker_temp_server_stop
- mysql_note "Temporary server stopped"
-
- echo
- mysql_note "MySQL init process done. Ready for start up."
- echo
- fi
- fi
- exec "$@"
+ # if command starts with an option, prepend mysqld
+ if echo "$1" | grep '^-' >/dev/null; then
+ set -- mysqld "$@"
+ fi
+
+ # skip setup if they aren't running mysqld or want an option that stops mysqld
+ if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
+ mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
+
+ mysql_check_config "$@"
+ # Load various environment variables
+ docker_setup_env "$@"
+ docker_create_db_directories
+
+ # If container is started as root user, restart as dedicated mysql user
+ if [ "$(id -u)" = "0" ]; then
+ mysql_note "Switching to dedicated user 'mysql'"
+ exec gosu mysql "$0" "$@"
+ fi
+
+ # there's no database, so it needs to be initialized
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir "$@"
+
+ mysql_note "Starting temporary server"
+ docker_temp_server_start "$@"
+ mysql_note "Temporary server started."
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g")
+ do
+ echo "Granting portal user ALL PRIVILEGES for table $i"
+ echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"
+ done
+
+ mysql_note "Stopping temporary server"
+ docker_temp_server_stop
+ mysql_note "Temporary server stopped"
+
+ echo
+ mysql_note "MySQL init process done. Ready for start up."
+ echo
+ fi
+ fi
+ exec "$@"
}
# If we are sourced from elsewhere, don't perform any further actions
if ! _is_sourced; then
- _main "$@"
+ _main "$@"
fi
#
usage ()
{
- echo "Usage: demo-k8s.sh <namespace> <command> [<parameters>] [execscript]"
- echo " "
- echo " demo-k8s.sh <namespace> init"
- echo " - Execute both init_customer + distribute"
- echo " "
- echo " demo-k8s.sh <namespace> init_customer"
- echo " - Create demo customer (Demonstration) and services, etc."
- echo " "
- echo " demo-k8s.sh <namespace> distribute [<prefix>]"
- echo " - Distribute demo models (demoVFW and demoVLB)"
- echo " "
- echo " demo-k8s.sh <namespace> preload <vnf_name> <module_name>"
- echo " - Preload data for VNF for the <module_name>"
- echo " "
- echo " demo-k8s.sh <namespace> appc <module_name>"
- echo " - provide APPC with vFW module mount point for closed loop"
- echo " "
- echo " demo-k8s.sh <namespace> init_robot [ <etc_hosts_prefix> ]"
- echo " - Initialize robot after all ONAP VMs have started"
- echo " "
- echo " demo-k8s.sh <namespace> instantiateVFW"
- echo " - Instantiate vFW module for the demo customer (DemoCust<uuid>)"
- echo " "
- echo " demo-k8s.sh <namespace> instantiateVFWdirectso csar_filename"
- echo " - Instantiate vFW module using direct SO interface using previously distributed model "
+ echo "Usage: demo-k8s.sh <namespace> <command> [<parameters>] [execscript]"
+ echo " "
+ echo " demo-k8s.sh <namespace> init"
+ echo " - Execute both init_customer + distribute"
+ echo " "
+ echo " demo-k8s.sh <namespace> init_customer"
+ echo " - Create demo customer (Demonstration) and services, etc."
+ echo " "
+ echo " demo-k8s.sh <namespace> distribute [<prefix>]"
+ echo " - Distribute demo models (demoVFW and demoVLB)"
+ echo " "
+ echo " demo-k8s.sh <namespace> preload <vnf_name> <module_name>"
+ echo " - Preload data for VNF for the <module_name>"
+ echo " "
+ echo " demo-k8s.sh <namespace> appc <module_name>"
+ echo " - provide APPC with vFW module mount point for closed loop"
+ echo " "
+ echo " demo-k8s.sh <namespace> init_robot [ <etc_hosts_prefix> ]"
+ echo " - Initialize robot after all ONAP VMs have started"
+ echo " "
+ echo " demo-k8s.sh <namespace> instantiateVFW"
+ echo " - Instantiate vFW module for the demo customer (DemoCust<uuid>)"
+ echo " "
+ echo " demo-k8s.sh <namespace> instantiateVFWdirectso csar_filename"
+ echo " - Instantiate vFW module using direct SO interface using previously distributed model "
echo " that is in /tmp/csar in robot container"
- echo " "
+ echo " "
echo " demo-k8s.sh <namespace> instantiateVLB_CDS"
echo " - Instantiate vLB module using CDS with a preloaded CBA "
echo " "
- echo " demo-k8s.sh <namespace> deleteVNF <module_name from instantiateVFW>"
- echo " - Delete the module created by instantiateVFW"
- echo " "
- echo " demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address>"
+ echo " demo-k8s.sh <namespace> deleteVNF <module_name from instantiateVFW>"
+ echo " - Delete the module created by instantiateVFW"
+ echo " "
+ echo " demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address>"
echo " - vFWCL: Sets the packet generator to high and low rates, and checks whether the policy "
echo " kicks in to modulate the rates back to medium"
- echo " "
- echo " demo-k8s.sh <namespace> <command> [<parameters>] execscript"
- echo " - Optional parameter to execute user custom scripts located in scripts/demoscript directory"
- echo " "
+ echo " "
+ echo " demo-k8s.sh <namespace> <command> [<parameters>] execscript"
+ echo " - Optional parameter to execute user custom scripts located in scripts/demoscript directory"
+ echo " "
}
# Check if execscript flag is used and drop it from input arguments
echo $#
if [ $# -lt 2 ];then
- usage
- exit
+ usage
+ exit
fi
NAMESPACE=$1
##
while [ $# -gt 0 ]
do
- key="$1"
+ key="$1"
echo "KEY:"
echo $key
- case $key in
- init_robot)
- TAG="UpdateWebPage"
- echo "WEB Site Password for user 'test': "
- stty -echo
- read WEB_PASSWORD
- stty echo
- if [ "$WEB_PASSWORD" = "" ]; then
- echo ""
- echo "WEB Password is required for user 'test'"
- exit
- fi
- VARIABLES="$VARIABLES -v WEB_PASSWORD:$WEB_PASSWORD"
- shift
- if [ $# -eq 2 ];then
- VARIABLES="$VARIABLES -v HOSTS_PREFIX:$1"
- fi
- shift
- ;;
- init)
- TAG="InitDemo"
- shift
- ;;
- vescollector)
- TAG="vescollector"
- shift
- ;;
+ case $key in
+ init_robot)
+ TAG="UpdateWebPage"
+ echo "WEB Site Password for user 'test': "
+ stty -echo
+ read WEB_PASSWORD
+ stty echo
+ if [ "$WEB_PASSWORD" = "" ]; then
+ echo ""
+ echo "WEB Password is required for user 'test'"
+ exit
+ fi
+ VARIABLES="$VARIABLES -v WEB_PASSWORD:$WEB_PASSWORD"
+ shift
+ if [ $# -eq 2 ];then
+ VARIABLES="$VARIABLES -v HOSTS_PREFIX:$1"
+ fi
+ shift
+ ;;
+ init)
+ TAG="InitDemo"
+ shift
+ ;;
+ vescollector)
+ TAG="vescollector"
+ shift
+ ;;
distribute_vcpe)
- TAG="distributeVCPE"
- shift
- ;;
- init_customer)
- TAG="InitCustomer"
- shift
- ;;
- distribute)
- TAG="InitDistribution"
- shift
- if [ $# -eq 1 ];then
- VARIABLES="$VARIABLES -v DEMO_PREFIX:$1"
- fi
- shift
- ;;
- preload)
- TAG="PreloadDemo"
- shift
- if [ $# -ne 2 ];then
- echo "Usage: demo-k8s.sh <namespace> preload <vnf_name> <module_name>"
- exit
- fi
- VARIABLES="$VARIABLES -v VNF_NAME:$1"
- shift
- VARIABLES="$VARIABLES -v MODULE_NAME:$1"
- shift
- ;;
- appc)
- TAG="APPCMountPointDemo"
- shift
- if [ $# -ne 1 ];then
- echo "Usage: demo-k8s.sh <namespace> appc <module_name>"
- exit
- fi
- VARIABLES="$VARIABLES -v MODULE_NAME:$1"
- shift
- ;;
- instantiateVFW)
- TAG="instantiateVFW"
- VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$"
- shift
- ;;
+ TAG="distributeVCPE"
+ shift
+ ;;
+ init_customer)
+ TAG="InitCustomer"
+ shift
+ ;;
+ distribute)
+ TAG="InitDistribution"
+ shift
+ if [ $# -eq 1 ];then
+ VARIABLES="$VARIABLES -v DEMO_PREFIX:$1"
+ fi
+ shift
+ ;;
+ preload)
+ TAG="PreloadDemo"
+ shift
+ if [ $# -ne 2 ];then
+ echo "Usage: demo-k8s.sh <namespace> preload <vnf_name> <module_name>"
+ exit
+ fi
+ VARIABLES="$VARIABLES -v VNF_NAME:$1"
+ shift
+ VARIABLES="$VARIABLES -v MODULE_NAME:$1"
+ shift
+ ;;
+ appc)
+ TAG="APPCMountPointDemo"
+ shift
+ if [ $# -ne 1 ];then
+ echo "Usage: demo-k8s.sh <namespace> appc <module_name>"
+ exit
+ fi
+ VARIABLES="$VARIABLES -v MODULE_NAME:$1"
+ shift
+ ;;
+ instantiateVFW)
+ TAG="instantiateVFW"
+ VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$"
+ shift
+ ;;
instantiateVFWdirectso)
TAG="instantiateVFWdirectso"
shift
VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$"
shift
;;
- deleteVNF)
- TAG="deleteVNF"
- shift
- if [ $# -ne 1 ];then
- echo "Usage: demo-k8s.sh <namespace> deleteVNF <module_name from instantiateVFW>"
- exit
- fi
- VARFILE=$1.py
- VARIABLES="$VARIABLES -V /share/${VARFILE}"
- shift
- ;;
- cds)
- TAG="cds"
- shift
- ;;
+ deleteVNF)
+ TAG="deleteVNF"
+ shift
+ if [ $# -ne 1 ];then
+ echo "Usage: demo-k8s.sh <namespace> deleteVNF <module_name from instantiateVFW>"
+ exit
+ fi
+ VARFILE=$1.py
+ VARIABLES="$VARIABLES -V /share/${VARFILE}"
+ shift
+ ;;
+ cds)
+ TAG="cds"
+ shift
+ ;;
distributeVFWNG)
TAG="distributeVFWNG"
shift
VARIABLES="$VARIABLES -v PACKET_GENERATOR_HOST:$1 -v pkg_host:$1"
shift
;;
- *)
- usage
- exit
- esac
+ *)
+ usage
+ exit
+ esac
done
set -x
GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}'
GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD]
# aai info - everything is from the private oam network (also called onap private network)
-GLOBAL_AAI_SERVER_PROTOCOL = "https"
-GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 8443) }}'
+GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}'
+GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}'
GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}'
GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}'
GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD]
generate_ca_key_cert () {
- openssl genrsa -out $1/ca.key 2048
- openssl req -new -x509 -days 36500 -key $1/ca.key -out $1/ca.pem -subj /CN=dcae-hv-ves-ca.onap
+ openssl genrsa -out $1/ca.key 2048
+ openssl req -new -x509 -days 36500 -key $1/ca.key -out $1/ca.pem -subj /CN=dcae-hv-ves-ca.onap
}
generate_server_key_csr () {
- openssl genrsa -out $1/server.key 2048
- openssl req -new -key $1/server.key -out $1/server.csr -subj /CN=dcae-hv-ves-collector.onap
+ openssl genrsa -out $1/server.key 2048
+ openssl req -new -key $1/server.key -out $1/server.csr -subj /CN=dcae-hv-ves-collector.onap
}
generate_client_key_csr () {
- openssl genrsa -out $1/client.key 2048
- openssl req -new -key $1/client.key -out $1/client.csr -subj /CN=dcae-hv-ves-client.onap
+ openssl genrsa -out $1/client.key 2048
+ openssl req -new -key $1/client.key -out $1/client.csr -subj /CN=dcae-hv-ves-client.onap
}
sign_server_and_client_cert () {
- openssl x509 -req -days 36500 -in $1/server.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/server.pem -set_serial 00
- openssl x509 -req -days 36500 -in $1/client.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/client.pem -set_serial 00
+ openssl x509 -req -days 36500 -in $1/server.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/server.pem -set_serial 00
+ openssl x509 -req -days 36500 -in $1/client.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/client.pem -set_serial 00
}
create_pkcs12_ca_and_server () {
- openssl pkcs12 -export -out $1/ca.p12 -inkey $1/ca.key -in $1/ca.pem -passout pass:
- openssl pkcs12 -export -out $1/server.p12 -inkey $1/server.key -in $1/server.pem -passout pass:
+ openssl pkcs12 -export -out $1/ca.p12 -inkey $1/ca.key -in $1/ca.pem -passout pass:
+ openssl pkcs12 -export -out $1/server.p12 -inkey $1/server.key -in $1/server.pem -passout pass:
}
copy_server_certs_to_hvves () {
- for f in ca.p12 server.p12
- do
- kubectl cp $1/$f $2/$3:$4
- done
+ for f in ca.p12 server.p12
+ do
+ kubectl cp $1/$f $2/$3:$4
+ done
}
copy_client_certs_to_robot () {
- for f in ca.pem client.key client.pem
- do
+ for f in ca.pem client.key client.pem
+ do
kubectl cp $1/$f $2/$3:$4
done
}
cleanup () {
- rm -f $1/ca.??? $1/server.??? s$1/client.???
+ rm -f $1/ca.??? $1/server.??? s$1/client.???
}
CSV2JSON='import csv; import json; import sys; print(json.dumps({i[0]: i[1] for i in csv.reader(sys.stdin)}))'
FILTER="$(tr -d [:space:] <<TEMPLATE
{{range .items}}
- {{range.spec.ports}}
- {{if .nodePort}}
- {{.nodePort}}{{','}}{{.name}}{{'\n'}}
- {{end}}
- {{end}}
+ {{range.spec.ports}}
+ {{if .nodePort}}
+ {{.nodePort}}{{','}}{{.name}}{{'\n'}}
+ {{end}}
+ {{end}}
{{end}}
TEMPLATE)"
setup () {
- export NODEPORTS_FILE="$(mktemp -p ${TMPDIR} ${TMPTPL}XXX)"
+ export NODEPORTS_FILE="$(mktemp -p ${TMPDIR} ${TMPTPL}XXX)"
}
create_actual_nodeport_json () {
- kubectl get svc -n $NAMESPACE -o go-template="$FILTER" | python3 -c "$CSV2JSON" > "$NODEPORTS_FILE"
+ kubectl get svc -n $NAMESPACE -o go-template="$FILTER" | python3 -c "$CSV2JSON" > "$NODEPORTS_FILE"
}
copy_actual_nodeport_json_to_robot () {
- kubectl cp "$1" "$2/$3:$4"
+ kubectl cp "$1" "$2/$3:$4"
}
cleanup () {
- rm "$NODEPORTS_FILE"
+ rm "$NODEPORTS_FILE"
}
# ============LICENSE_START=======================================================
# ONAP : SDN-C
# ================================================================================
-# Copyright (C) 2017 AT&T Intellectual Property. All rights
-# reserved.
+# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
if [ -d $JOURNAL_PATH ]
then
mv $JOURNAL_PATH/* $MDSAL_PATH/journal
- rm -f $JOURNAL_PATH
+ rm -f $JOURNAL_PATH
fi
ln -s $MDSAL_PATH/journal $JOURNAL_PATH
fi
if [ -d $SNAPSHOTS_PATH ]
then
mv $SNAPSHOTS_PATH/* $MDSAL_PATH/snapshots
- rm -f $SNAPSHOTS_PATH
+ rm -f $SNAPSHOTS_PATH
fi
ln -s $MDSAL_PATH/snapshots $SNAPSHOTS_PATH
fi
# ============LICENSE_START=======================================================
# ONAP : SDN-C
# ================================================================================
-# Copyright (C) 2017 AT&T Intellectual Property. All rights
-# reserved.
+# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
prepare_password()
{
- echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g"
+ echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g"
}
DB_PASSWORD=`prepare_password $DB_PASSWORD`
prepare_password()
{
- echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g"
+ echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g"
}
DB_ADMIN_PASSWORD=`prepare_password $DB_ADMIN_PASSWORD`
fqdn: so
fqi: so@so.onap.org
public_fqdn: so.onap.org
+ fqi_namespace: org.onap.so
cadi_longitude: '0.0'
cadi_latitude: '0.0'
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
- qi_namespace: org.onap.so
aaf_add_config: |
echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~8.x-0
+ repository: '@local'
- name: readinessCheck
version: ~8.x-0
repository: '@local'
#Start the chef-solo if mso-docker.json contains some data.
if [ -s /var/berks-cookbooks/${CHEF_REPO_NAME}/environments/mso-docker.json ]
then
- echo "mso-docker.json has some configuration, replay the recipes."
- chef-solo -c /var/berks-cookbooks/${CHEF_REPO_NAME}/solo.rb -o recipe[mso-config::apih],recipe[mso-config::bpmn],recipe[mso-config::jra]
+ echo "mso-docker.json has some configuration, replay the recipes."
+ chef-solo -c /var/berks-cookbooks/${CHEF_REPO_NAME}/solo.rb -o recipe[mso-config::apih],recipe[mso-config::bpmn],recipe[mso-config::jra]
else
- echo "mso-docker.json is empty, do not replay the recipes."
+ echo "mso-docker.json is empty, do not replay the recipes."
fi
JBOSS_PIDFILE=/tmp/jboss-standalone.pid
aaf:
trustore: org.onap.so.trust.jks
+#################################################################
+# AAF part for Ingress
+#################################################################
+certInitializer:
+ nameOverride: so-tls-cert
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: so
+ fqi: so@so.onap.org
+ public_fqdn: so.onap.org
+ fqi_namespace: org.onap.so
+ cadi_longitude: '0.0'
+ cadi_latitude: '0.0'
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ ingressTlsSecret: '{{ include "common.release" . }}-so-ingress-certs'
+
#################################################################
# Application configuration defaults.
#################################################################
name: 'so'
port: 8080
config:
- ssl: 'none'
+ tls:
+ secret: '{{ include "common.release" . }}-so-ingress-certs'
mso:
adapters:
# application image
repository: nexus3.onap.org:10001
-image: onap/usecase-ui-server:4.0.1
+image: onap/usecase-ui-server:4.0.3
pullPolicy: Always
# application configuration
flavor: small
# application image
-image: onap/usecase-ui:4.0.2
+image: onap/usecase-ui:4.0.3
pullPolicy: Always
# application configuration