Use Certinitializer in order to retrieve needed certificates.
It'll also do the retrieval for graphadmin as both microservices are
working together.
Issue-ID: OOM-2691
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Iad790cc14361cf15d5a6bf4fcad6fd9f4048a1a7
aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'}
aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-graphadmin', 'aai-graphadmin.onap', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai-schema-service@aai-schema-service.onap.org|aai-schema-service|local|/opt/app/osaaf/local||mailto:|org.onap.aai-schema-service|root|30|{'aai-schema-service', 'aai-schema-service.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'}
appc-cdt@appc-cdt.onap.org|appc-cdt|local|/opt/app/osaaf/local||mailto:|org.onap.appc-cdt|root|30|{'appc-cdt', 'appc-cdt.api.simpledemo.onap.org', 'appc-cdt.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'}
clamp@clamp.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.clamp|53344||
aai@aai.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai|53344||
aai-resources@aai-resources.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-resources|53344||
+aai-schema-service@aai-schema-service.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-schema-service|53344||
aai-traversal@aai-traversal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-traversal|53344||
appc@appc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc|53344||
appc-cdt@appc-cdt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc-cdt|53344||
org.onap.aaf-sms||org.onap||3
org.onap.aai||org.onap||3
org.onap.aai-resources||org.onap||3
+org.onap.aai-schema-service||org.onap||3
org.onap.aai-traversal||org.onap||3
org.onap.appc||org.onap||3
org.onap.appc-cdt||org.onap||3
org.onap.aai-resources|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-resources|admin', 'org.onap.aai-resources|service'}"
org.onap.aai-resources|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-resources|owner'}"
org.onap.aai-resources|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
+org.onap.aai-schema-service|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-schema-service|admin', 'org.onap.aai-schema-service|service'}"
+org.onap.aai-schema-service|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-schema-service|owner'}"
+org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
org.onap.aai-traversal|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-traversal|admin', 'org.onap.aai-traversal|service'}"
org.onap.aai-traversal|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-traversal|owner'}"
org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
org.onap.aai|traversal_basic|traversal_basic|"{'org.onap.aai|traversal|*|basic'}"
org.onap.aai-resources|admin|AAF Namespace Administrators|"{'org.onap.aai-resources|access|*|*'}"
org.onap.aai-resources|owner|AAF Namespace Owners|"{'org.onap.aai-resources|access|*|read'}"
-org.onap.aai-resources|service||"{'org.onapaai-resources|access|*|*'}"
+org.onap.aai-resources|service||"{'org.onap.aai-resources|access|*|*'}"
+org.onap.aai-schema-service|admin|AAF Namespace Administrators|"{'org.onap.aai-schema-service|access|*|*'}"
+org.onap.aai-schema-service|owner|AAF Namespace Owners|"{'org.onap.aai-schema-service|access|*|read'}"
+org.onap.aai-schema-service|service||"{'org.onap.aai-schema-service|access|*|*'}"
org.onap.aai-traversal|admin|AAF Namespace Administrators|"{'org.onap.aai-traversal|access|*|*'}"
org.onap.aai-traversal|owner|AAF Namespace Owners|"{'org.onap.aai-traversal|access|*|read'}"
-org.onap.aai-traversal|service||"{'org.onapaai-traversal|access|*|*'}"
+org.onap.aai-traversal|service||"{'org.onap.aai-traversal|access|*|*'}"
org.onap|admin|Onap Admins|"{'org.onap.access|*|*'}"
org.onap.appc|admin|AAF Namespace Administrators|"{'org.onap.appc|access|*|*'}"
org.onap.appc|apidoc||"{'org.onap.appc|apidoc|/apidoc/.*|ALL'}"
org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}"
org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}"
org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}"
-org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}"
+org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}"
org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}"
org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}"
org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}"
mmanager@people.osaaf.org|org.onap.aai.owner|2020-11-26 12:31:54.000+0000|org.onap.aai|owner
mmanager@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin
mmanager@people.osaaf.org|org.onap.aai-resources.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|owner
+mmanager@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin
+mmanager@people.osaaf.org|org.onap.aai-schema-service.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|owner
mmanager@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin
mmanager@people.osaaf.org|org.onap.aai-traversal.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|owner
mmanager@people.osaaf.org|org.onap.admin|2020-11-26 12:31:54.000+0000|org.onap|admin
aaf_admin@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin
aaf_admin@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin
aaf_admin@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin
+aaf_admin@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin
aaf_admin@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin
aaf_admin@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin
aaf_admin@people.osaaf.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc
aai@aai.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all
aai@aai.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced
aai-resources@aai-resources.onap.org|org.onap.aai-resources.service|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|service
+aai-schema-service@aai-schema-service.onap.org|org.onap.aai-schema-service.service|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|service
aai-traversal@aai-traversal.onap.org|org.onap.aai-traversal.service|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|service
appc@appc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all
appc@appc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced
clamp|ONAP CLAMP Application|CLAMP|Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai|ONAP AAI Application|AAI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai-resources|ONAP AAI Resources Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
+aai-schema-service|ONAP AAI Schema Service Application|AAI Schema Service|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai-traversal|ONAP AAI Traversal Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
appc|ONAP APPC Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
appc-cdt|ONAP APPC CDT Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
# org.onap.aai
# ================================================================================
# Copyright � 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# If you get an application startup failure that the port is already taken
# If thats not it, please check if the key-store file path makes sense
-server.local.startpath=aai-graphadmin/src/main/resources/
+server.local.startpath=/opt/app/aai-graphadmin/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
{{ else }}
schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.rdbmsname=aai_relational
aperture.service.base.url=http://localhost:8457/aai/aperture
{{ if ( include "common.needTLS" .) }}
-aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }}
-aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }}
-aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.service.timeout-in-milliseconds=300000
<!-- logback jms appenders & loggers definition ends here -->
<logger name="org.onap.aai.aaf" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.filter.RestClientLoggingInterceptor" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractMetricLogFilter" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiDBMetricLog" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.dmaap" level="DEBUG" additivity="false">
<appender-ref ref="dmaapAAIEventConsumer"/>
<appender-ref ref="dmaapAAIEventConsumerDebug"/>
<appender-ref ref="dmaapAAIEventConsumerMetric"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.datasnapshot" level="DEBUG" additivity="false">
<appender-ref ref="dataSnapshot"/>
<appender-ref ref="asyncDEBUG"/>
<appender-ref ref="asyncERROR"/>
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<root level="DEBUG">
<appender-ref ref="external"/>
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-configmap
+ name: {{ include "common.fullname" . }}
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
{{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-properties
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.global.jobs.migration.enabled }}
+ annotations:
+ "helm.sh/hook": pre-upgrade,pre-install
+ "helm.sh/hook-weight": "0"
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{- end }}
+data:
{{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
-
{{- if .Values.global.jobs.migration.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-migration-configmap
+ name: {{ include "common.fullname" . }}-migration
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
hostname: aai-graphadmin
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
{{ if .Values.global.initContainers.enabled }}
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
{{ if .Values.global.jobs.migration.enabled }}
- /app/ready.py
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
+ value: {{ .Values.securityContext.group_id | quote }}
- name: INTERNAL_PORT_1
value: {{ .Values.service.internalPort | quote }}
- name: INTERNAL_PORT_2
value: {{ .Values.service.internalPort2 | quote }}
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES
name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/etc/auth/realm.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: realm.properties
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh createDBSchema.sh ;
+ bash docker-entrypoint.sh createDBSchema.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
- command:
- - /bin/bash
+ - sh
+ args:
- -c
- - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
+ - |
+ bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-restore-backup
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-perform-migration
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- name: {{ include "common.fullname" . }}-snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.resources" . | nindent 10 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
+ configMap:
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
migration:
enabled: false
config:
- # User information for the admin user in container
- userId: 1000
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
-
-
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
-
# Specifies which clients should always default to realtime graph connection
realtime:
clients: SDNC,MSO,SO,robot-ete
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-graphadmin-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_jks}" \
+ -keystore {{ .Values.fqi_namespace }}.jks
+ echo "*** set key password as same password as keystore password"
+ keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -keystore {{ .Values.fqi_namespace }}.jks \
+ -keypass "${cadi_keystore_password_jks}" \
+ -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }}
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-graphadmin:1.9.1
memory: 2Gi
unlimited: {}
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Pods Service Account
serviceAccount:
nameOverride: aai-graphadmin
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
server.port=8452
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
+server.ssl.key-store-type=PKCS12
{{ else }}
security.require-ssl=false
server.ssl.enabled=false
<logger name="org.onap.aai.aaf.auth" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.schemaservice.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.apache" level="OFF"/>
AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin
OOF:OBF:1img1ke71ily,admin
aai@aai.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
+aai-graphadmin@aai-graphadmin.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
so@so.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-realm-configmap
+ name: {{ include "common.fullname" . }}-realm
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
+ {{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+ export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ echo "keystore pass: $KEYSTORE_PASSWORD"
+ echo "truststore pass: $TRUSTSTORE_PASSWORD"
+ echo "*** actual launch of AAI Schema Service"
+ /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh
+ {{- end }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/aai/logroot/AAI-SS
name: logs
- mountPath: /opt/app/aai-schema-service/resources/logback.xml
- name: {{ include "common.fullname" . }}-log-conf
+ name: log-conf
subPath: logback.xml
- mountPath: /opt/app/aai-schema-service/resources/localhost-access-logback.xml
name: localhost-access-log-conf
- mountPath: /opt/app/aai-schema-service/resources/application.properties
name: springapp-conf
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-schema-service/resources/etc/auth/{{ . }}
- name: auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: aai-common-aai-auth-mount
secret:
secretName: aai-common-aai-auth
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-log-conf
+ - name: log-conf
configMap:
name: {{ include "common.fullname" . }}-log
- name: localhost-access-log-conf
configMap:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
- name: springapp-conf
configMap:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
- name: aaiconfig-conf
configMap:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
- name: realm-conf
configMap:
- name: {{ include "common.fullname" . }}-realm-configmap
- - name: auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-realm
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-schema-service-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai-schema-service
+ fqi: aai-schema-service@aai-schema-service.onap.org
+ public_fqdn: aai-schema-service.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai-schema-service
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-schema-service:1.9.2
roles:
- read
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Log configuration
log:
path: /var/log/onap
Code Review / oom.git / commitdiff