database_cluster_name: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}
database_cluster_fqdn: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}.{{ .Values.postgres.suffix }}
database_name: "dashboard_pg"
-cloudify_ip: {{ .Values.config.address.cm }}
+cloudify_ip: {{ .Values.config.address.cm.host }}
cloudify_user: "admin"
cloudify_password: "admin"
consul_url: {{ .Values.config.address.consul_ui }}
fieldRef:\r
apiVersion: v1\r
fieldPath: metadata.namespace\r
+ - name: init-tls\r
+ env:\r
+ - name: POD_IP\r
+ valueFrom:\r
+ fieldRef:\r
+ apiVersion: v1\r
+ fieldPath: status.podIP\r
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}\r
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}\r
+ resources: {}\r
+ volumeMounts:\r
+ - mountPath: /opt/tls/shared\r
+ name: tls-info\r
containers:\r
- name: {{ include "common.name" . }}\r
image: "{{ include "common.repository" . }}/{{ .Values.image }}"\r
- mountPath: /etc/localtime\r
name: localtime\r
readOnly: true\r
+ - mountPath: /certs\r
+ name: tls-info\r
+ readOnly: true\r
env:\r
- name: CMADDR\r
- value: {{ .Values.config.address.cm }}\r
+ value: {{ .Values.config.address.cm.host }}\r
- name: CMPASS\r
valueFrom:\r
secretKeyRef:\r
name: {{ include "common.name" . }}-cmpass\r
key: password\r
+ - name: CMPROTO\r
+ value: {{ .Values.config.address.cm.proto }}\r
+ - name: CMPORT\r
+ value: !!string {{ .Values.config.address.cm.port }}\r
- name: CONSUL\r
value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}\r
- name: DCAE_NAMESPACE\r
- name: localtime\r
hostPath:\r
path: /etc/localtime\r
+ - name: tls-info\r
+ emptyDir: {}\r
imagePullSecrets:\r
- name: "{{ include "common.namespace" . }}-docker-registry-key"\r
host: consul-server
port: 8500
consul_ui: consul-server-ui
- cm: dcae-cloudify-manager
+ cm:
+ host: dcae-cloudify-manager
+ port: 443
+ proto: https
dashboard:
port: 30418
portSecure: 30419
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.4.18
+image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.6.0-STAGING-latest
default_k8s_location: central
# DCAE component images to be deployed via Cloudify Manager
app: {{ include "common.name" . }}
release: {{ .Release.Name }}
spec:
+ # host alias allows local 'cfy' command to use https and match
+ # the host name in the certificate
+ hostAliases:
+ - ip: "127.0.0.1"
+ hostnames:
+ - "dcae-cloudify-manager"
initContainers:
- name: {{ include "common.name" . }}-multisite-init
image: {{ include "common.repository" . }}/{{ .Values.multisiteInitImage }}
- --configmap
- {{ .Values.multisiteConfigMapName }}
restartPolicy: Never
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/tls/shared
+ name: tls-info
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/opt/onap/certs/cacert.pem"
resources:
{{ include "common.resources" . | indent 12 }}
ports:
readOnly: true
- mountPath: /cfy-persist
name: cm-persistent
+ - mountPath: /opt/onap/certs
+ name: tls-info
securityContext:
privileged: True
volumes:
- name: cm-persistent
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-data
+ - emptyDir: {}
+ name: tls-info
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.cm-container:1.6.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:2.0.0-STAGING-latest
pullPolicy: Always
# name of shared ConfigMap with kubeconfig for multiple clusters
service:
type: ClusterIP
name: dcae-cloudify-manager
- externalPort: 80
- internalPort: 80
+ externalPort: 443
+ internalPort: 443
# Resource Limit flavor -By Default using small
flavor: small
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{- if .Values.service.secure.enabled }}
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/tls/shared
+ name: tls-info
+ {{ end }}
containers:
+ {{- if .Values.service.secure.enabled }}
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
+ - containerPort: {{ .Values.service.secure.internalPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ .Values.service.secure.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
httpGet:
+ scheme: "HTTPS"
path: {{ .Values.readiness.path }}
- port: {{ .Values.service.internalPort }}
+ port: {{ .Values.service.secure.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- name: {{ include "common.fullname" . }}-logs
mountPath: /opt/logs
+ - name: tls-info
+ mountPath: /opt/tls
env:
- name: CONSUL_HOST
value: consul.{{ include "common.namespace" . }}
-
+ - name: USE_HTTPS
+ value: "1"
+ - name: HTTPS_CERT_PATH
+ value: "/opt/tls/cert.pem"
+ - name: HTTPS_KEY_PATH
+ value: "/opt/tls/key.pem"
- name: {{ include "common.name" . }}-filebeat-onap
image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
mountPath: /usr/share/filebeat/data
- name: {{ include "common.fullname" . }}-logs
mountPath: /var/log/onap
+ {{ end }}
+ {{- if .Values.service.insecure.enabled }}
+ - name: {{ include "common.name" . }}-insecure
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+{{ include "common.resources" . | indent 12 }}
+ ports:
+ - containerPort: {{ .Values.service.insecure.internalPort }}
+ # disable liveness probe when breakpoints set in debugger
+ # so K8s doesn't restart unresponsive container
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.insecure.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ httpGet:
+ scheme: "HTTP"
+ path: {{ .Values.readiness.path }}
+ port: {{ .Values.service.insecure.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ mountPath: /opt/logs
+ env:
+ - name: CONSUL_HOST
+ value: consul.{{ include "common.namespace" . }}
+ - name: {{ include "common.name" . }}-filebeat-onap-insecure
+ image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-filebeat-conf
+ mountPath: /usr/share/filebeat/filebeat.yml
+ subPath: filebeat.yml
+ - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+ mountPath: /usr/share/filebeat/data
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ mountPath: /var/log/onap
+ {{ end }}
volumes:
- name: {{ include "common.fullname" . }}-filebeat-conf
configMap:
name: {{ .Release.Name }}-cbs-filebeat-configmap
+ {{- if .Values.service.secure.enabled }}
- name: {{ include "common.fullname" . }}-data-filebeat
emptyDir: {}
- name: {{ include "common.fullname" . }}-logs
emptyDir: {}
+ - name: tls-info
+ emptyDir: {}
+ {{ end }}
+ {{- if .Values.service.insecure.enabled }}
+ - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+ emptyDir: {}
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ emptyDir: {}
+ {{ end }}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
spec:
type: {{ .Values.service.type }}
ports:
- {{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.externalPort }}
- nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.name }}
+ {{ if eq .Values.service.type "NodePort" -}}
+ {{ if .Values.service.insecure.enabled -}}
+ - port: {{ .Values.service.insecure.externalPort }}
+ nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.insecure.nodePort }}
+ name: {{ .Values.service.name }}-insecure
+ {{- end }}
+ {{ if .Values.service.secure.enabled -}}
+ - port: {{ .Values.service.secure.externalPort }}
+ nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.secure.nodePort }}
+ name: {{ .Values.service.name }}-secure
+ {{- end }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.name }}
- {{- end}}
+ {{ if .Values.service.insecure.enabled -}}
+ - port: {{ .Values.service.insecure.externalPort }}
+ targetPort: {{ .Values.service.insecure.internalPort }}
+ name: {{ .Values.service.name }}-insecure
+ {{- end }}
+ {{ if .Values.service.secure.enabled -}}
+ - port: {{ .Values.service.secure.externalPort }}
+ targetPort: {{ .Values.service.secure.internalPort }}
+ name: {{ .Values.service.name }}-secure
+ {{- end }}
+ {{- end }}
selector:
app: {{ include "common.name" . }}
release: {{ .Release.Name }}
-
readinessImage: readiness-check:2.0.0
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ tlsRepository: nexus3.onap.org:10001
+ tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3
repositoryCred:
user: docker
password: docker
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.configbinding.app-app:2.3.0
+image: onap/org.onap.dcaegen2.platform.configbinding:2.5.1-STAGING-latest
pullPolicy: Always
# probe configuration parameters
service:
type: NodePort
name: config-binding-service
- externalPort: 10000
- internalPort: 10000
- nodePort: 15
+ # TLS service
+ secure:
+ enabled: true
+ externalPort: 10443
+ internalPort: 10443
+ nodePort: 14
+ # Non-TLS service
+ insecure:
+ enabled: true
+ externalPort: 10000
+ internalPort: 10000
+ nodePort: 15
# Resource Limit flavor -By Default using small
flavor: small
{
"cloudify": {
- "protocol": "http"
+ "protocol": "https"
},
"inventory": {
"protocol": "http"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
args:
- --service
- - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|80"
+ - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|443"
- --service
- "inventory|inventory.{{ include "common.namespace" . }}|8080"
- --key
value: admin
- name: CONFIG_BINDING_SERVICE
value: config-binding-service
+ - name: NODE_EXTRA_CA_CERTS
+ value: /opt/app/dh/etc/cert/cacert.pem
- name: POD_IP
valueFrom:
fieldRef:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.deployment-handler:4.0.1
+image: onap/org.onap.dcaegen2.platform.deployment-handler:4.2.0
pullPolicy: Always
# probe configuration parameters
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.1.5
+image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.2.0
pullPolicy: Always