.. table:: OOM Software Requirements
- ============== =========== ======= ======== ========
- Release Kubernetes Helm kubectl Docker
- ============== =========== ======= ======== ========
+ ============== =========== ======= ======== ======== ============
+ Release Kubernetes Helm kubectl Docker Cert-Manager
+ ============== =========== ======= ======== ======== ============
amsterdam 1.7.x 2.3.x 1.7.x 1.12.x
beijing 1.8.10 2.8.2 1.8.10 17.03.x
casablanca 1.11.5 2.9.1 1.11.5 17.03.x
frankfurt 1.15.9 2.16.6 1.15.11 18.09.x
guilin 1.15.11 2.16.10 1.15.11 18.09.x
Honolulu 1.19.9 3.5.2 1.19.9 19.03.x
- ============== =========== ======= ======== ========
+ Istanbul 1.2.0
+ ============== =========== ======= ======== ======== ============
.. note::
Guilin version also supports Kubernetes up to version 1.19.x and should work
> cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins
> helm plugin install https://github.com/chartmuseum/helm-push.git
-**Step 3** Install Chartmuseum::
+**Step 3.** Install Chartmuseum::
> curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum
> chmod +x ./chartmuseum
> mv ./chartmuseum /usr/local/bin
-**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
+**Step 4.** Install Cert-Manager::
+
+ > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
+
+More details can be found :doc:`here <oom_setup_paas>`.
+
+**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file
to suit your deployment with items like the OpenStack tenant information.
:language: yaml
-**Step 5.** To setup a local Helm server to server up the ONAP charts::
+**Step 6.** To setup a local Helm server to server up the ONAP charts::
> chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 &
> helm repo add local http://127.0.0.1:8879
-**Step 6.** Verify your Helm repository setup with::
+**Step 7.** Verify your Helm repository setup with::
> helm repo list
NAME URL
local http://127.0.0.1:8879
-**Step 7.** Build a local Helm repository (from the kubernetes directory)::
+**Step 8.** Build a local Helm repository (from the kubernetes directory)::
> make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap
Sets the helm binary to be used. The default value use helm from PATH
-**Step 8.** Display the onap charts that available to be deployed::
+**Step 9.** Display the onap charts that available to be deployed::
> helm repo update
> helm search repo onap
to your deployment charts or values be sure to use ``make`` to update your
local Helm repository.
-**Step 9.** Once the repo is setup, installation of ONAP can be done with a
+**Step 10.** Once the repo is setup, installation of ONAP can be done with a
single command
.. note::
you want to use to deploy VNFs from ONAP and/or additional parameters for the
embedded tests.
-**Step 10.** Verify ONAP installation
+**Step 11.** Verify ONAP installation
Use the following to monitor your deployment and determine when ONAP is ready
for use::
> ~/oom/kubernetes/robot/ete-k8s.sh onap health
-**Step 11.** Undeploy ONAP
+**Step 12.** Undeploy ONAP
::
> helm undeploy dev
.. _oom_setup_paas:
-ONAP PaaS set-up (optional)
-###########################
+ONAP PaaS set-up
+################
Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part
-of k8s PaaS for ONAP operations and can be optionally installed to provide
+of k8s PaaS for ONAP operations and can be installed to provide
additional functionality for ONAP engineers.
The versions of PaaS compoents that are supported by OOM are as follows:
honolulu 1.2.0 13.x
============== ============= =================
-This guide provides instructions on how to install the following PaaS
-components for ONAP:
+This guide provides instructions on how to install the PaaS
+components for ONAP.
-- Cert-Manager
-- Prometheus Stack
+.. contents::
+ :depth: 1
+ :local:
+..
Cert-Manager
============
> kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
-Prometheus Stack
-================
+Prometheus Stack (optional)
+===========================
Prometheus is an open-source systems monitoring and alerting toolkit with
an active ecosystem.
Pre-requisites
--------------
-Your environment must have both the Kubernetes `kubectl` and Helm setup as a
-one time activity.
+Your environment must have the Kubernetes `kubectl` with Cert-Manager
+and Helm setup as a one time activity.
Install Kubectl
~~~~~~~~~~~~~~~
At this point you should see Kubernetes pods running.
+Install Cert-Manager
+~~~~~~~~~~~~~~~~~~~~
+Details on how to install Cert-Manager can be found
+:doc:`here <oom_setup_paas>`.
+
Install Helm
~~~~~~~~~~~~
Helm is used by OOM for package and configuration management. To install Helm,
| **Release designation** | Honolulu |
| | |
+--------------------------------------+--------------------------------------+
-| **Release date** | 2020/12/03 |
+| **Release date** | 2021/04/29 |
| | |
+--------------------------------------+--------------------------------------+
* Kubernetes support for version up to 1.20
* Helm support for version up to 3.5
* Limits are set for most of the components
+* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack
+* CMPv2 external issuer implemented which extends Cert-Manager with ability to
+ enroll X.509 certificates from CMPv2 servers
+* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual
+ Stack
+* Bump version of common PostgreSQL and ElasticSearch
+* Move to automatic certificates retrieval for 80% of the components
+* Consistent retrieval of docker images, with ability to configure proxy for
+ the 4 repositories used by ONAP
**Bug fixes**
A list of issues resolved in this release can be found here:
-https://jira.onap.org/projects/OOM/versions/10826
+https://jira.onap.org/projects/OOM/versions/11073
-**Known Issues**
+major issues solved:
-- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_
- bitnami mariadb galera image doesn't support single quote in password.
+* Better handling of persistence on PostgreSQL
+* Better Ingress templating
+* Better Service templating
+**Known Issues**
+- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8
+- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell:
+ log:list: Error executing command: Unrecognized configuration
+- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup
+ not complete
+- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor
+ does not work with local DB
+- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding
+ custom cert to SDNC ONAP during deployment
+- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in
+ for value with multi-level replacement
+- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB
+ deployment fails
+- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with
+ CertInitializer template
+- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures
+ seen after bringing down/up control plane & worker node VM instances on which
+ ONAP hosted
+- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb
+ readinessCheck fails for local MariaDB instance
+- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails
+ on local MariaDB instance
+- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for
+ scaleoutUser/restconfUser/odlUser
Deliverables
------------
kind: Deployment
apiVersion: apps/v1
-metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+ release: "{{ include "common.release" . }}"
+ heritage: "{{ .Release.Service }}"
spec:
replicas: {{ index .Values.replicaCount }}
selector: {{- include "common.selectors" . | nindent 4 }}
subPath: application_configuration.json
- name: config
mountPath: /opt/app/policy-agent/config/application.yaml
- subPath: application.yaml
+ subPath: application.yaml
+ - name: vardata
+ mountPath: "/var/policy-management-service/database"
resources: {{ include "common.resources" . | nindent 10 }}
volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: {{ include "common.fullname" . }}-policy-conf-input
- name: config
emptyDir:
medium: Memory
+ - name: vardata
+ persistentVolumeClaim:
+ claimName: {{ include "common.fullname" . }}
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+{{- if not .Values.persistence.storageClass -}}
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+ name: {{ include "common.fullname" . }}-data
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+ release: "{{ include "common.release" . }}"
+ heritage: "{{ .Release.Service }}"
+ name: {{ include "common.fullname" . }}
+spec:
+ capacity:
+ storage: {{ .Values.persistence.size}}
+ accessModes:
+ - {{ .Values.persistence.accessMode }}
+ persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }}
+ storageClassName: "{{ include "common.fullname" . }}-data"
+ hostPath:
+ path: {{ .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+ release: "{{ include "common.release" . }}"
+ heritage: "{{ .Release.Service }}"
+ {{- if .Values.persistence.annotations }}
+ annotations:
+{{ .Values.persistence.annotations | indent 4 }}
+ {{- end }}
+spec:
+ accessModes:
+ - {{ .Values.persistence.accessMode }}
+ resources:
+ requests:
+ storage: {{ .Values.persistence.size }}
+ storageClassName: {{ include "common.fullname" . }}-data
+{{- end -}}
keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \
-storepass "${cadi_truststore_password}" \
-keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** set key password as same password as keystore password"
- keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
- -keystore {{ .Values.fqi_namespace }}.p12 \
- -keypass "${cadi_keystore_password_p12}" \
- -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
echo "*** save the generated passwords"
echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 .
-image: onap/ccsdk-oran-a1policymanagementservice:1.1.1
+image: onap/ccsdk-oran-a1policymanagementservice:1.1.3
userID: 1000 #Should match with image-defined user ID
groupID: 999 #Should match with image-defined group ID
pullPolicy: IfNotPresent
small:
limits:
cpu: 2
- memory: 4Gi
+ memory: 300Mi
requests:
cpu: 1
- memory: 2Gi
+ memory: 150Mi
large:
limits:
cpu: 4
cpu: 2
memory: 4Gi
unlimited: {}
+
+## Persist data to a persistent volume
+persistence:
+ enabled: true
+
+ ## A manually managed Persistent Volume and Claim
+ ## Requires persistence.enabled: true
+ ## If defined, PVC must be created manually before volume will be bound
+ # existingClaim:
+ volumeReclaimPolicy: Retain
+
+ ## database data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessMode: ReadWriteOnce
+ size: 2Gi
+ mountPath: /dockerdata-nfs
+ mountSubPath: nonrtric/policymanagementservice
+
+
org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}"
+org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}"
org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'}
org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'}
org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'}
org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}"
org.onap.clamp|owner|AAF Namespace Owners|
org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}"
-org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*'}"
+org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}"
org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}"
org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}"
org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}"
mountSubPath: "cass"
volumeReclaimPolicy: Retain
accessMode: ReadWriteOnce
- size: 20Gi
+ size: 5Gi
org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-multi.tenancy.enabled=true
+multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }}
keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth
-keycloak.realm=aai-resources
-keycloak.resource=aai-resources-app
+keycloak.realm={{ .Values.config.keycloak.realm }}
+keycloak.resource={{ .Values.config.keycloak.resource }}
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth
+ active: production,dmaap,aaf-auth #,keycloak
# Notification event specific properties
notification:
credsPath: /opt/app/osaaf/local
fqi_namespace: org.onap.aai-resources
aaf_add_config: |
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** save the generated passwords"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 {{ .Values.credsPath }}
# Configuration for the resources deployment
config:
+ # configure keycloak according to your environment.
+ # don't forget to add keycloak in active profiles above (global.config.profiles)
keycloak:
- host: localhost
+ host: keycloak.your.domain
port: 8180
+ # Specifies a set of users, credentials, roles, and groups
+ realm: aai-resources
+ # Used by any client application for enabling fine-grained authorization for their protected resources
+ resource: aai-resources-app
+ # If set to true, additional criteria will be added that match the data-owner property with the given role
+ # to the user in keycloak
+ multiTenancy:
+ enabled: true
# Specifies crud related operation timeouts and overrides
crud:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~8.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
*/}}
oxm.schemaNodeDir=/opt/app/sparky/onap/oxm
-#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config
+#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config
oxm.schemaServiceTranslatorList=config
# The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/
oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/
-oxm.schemaServiceKeystore=file:${CONFIG_HOME}/auth/aai-client-cert.p12
-oxm.schemaServiceTruststore=file:${CONFIG_HOME}/auth/tomcat_keystore
-oxm.schemaServiceKeystorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
-oxm.schemaServiceTruststorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o
+oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD}
+oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD}
resources.authType=SSL_BASIC
resources.basicAuthUserName=aai@aai.onap.org
resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek
-resources.trust-store=tomcat_keystore
+resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+resources.trust-store-password=${TRUSTSTORE_PASSWORD}
+resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+resources.client-cert-password=${KEYSTORE_PASSWORD}
# limitations under the License.
server.port=8000
-server.ssl.key-store=file:${CONFIG_HOME}/auth/org.onap.aai.p12
-server.ssl.key-store-password=OBF:1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3
+server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.trust-store=file:${CONFIG_HOME}/auth/truststoreONAPall.jks
-server.ssl.trust-store-password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy
-portal.cadiFileLocation={{.Values.config.cadiFileLocation}}
portal.cadiFileLocation={{.Values.config.cadiFileLocation}}
searchservice.hostname={{.Values.global.searchData.serviceName}}
searchservice.port=9509
-searchservice.client-cert=client-cert-onap.p12
-searchservice.client-cert-password=1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3
-searchservice.truststore=tomcat_keystore
+searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+searchservice.client-cert-password=${KEYSTORE_PASSWORD}
+searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+searchservice.truststore-password=${TRUSTSTORE_PASSWORD}
schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties
--- /dev/null
+<configuration scan="true" scanPeriod="3 seconds" debug="false">
+ <!--{{/*
+ # Copyright © 2018 AT&T
+ # Copyright © 2021 Orange
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ */}}-->
+ <!--<jmxConfigurator /> -->
+ <!-- directory path for all other type logs -->
+
+ <property name="logDir" value="/var/log/onap" />
+
+ <!-- <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy"
+ | "SDNC" | "AC" -->
+ <property name="componentName" value="AAI-UI"></property>
+
+ <!-- default eelf log file names -->
+ <property name="generalLogName" value="error" />
+ <property name="metricsLogName" value="metrics" />
+ <property name="auditLogName" value="audit" />
+ <property name="debugLogName" value="debug" />
+
+ <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|AAIUI|%mdc{PartnerName}|%logger|%.-5level|%msg%n" />
+ <property name="auditMetricPattern" value="%m%n" />
+
+ <property name="logDirectory" value="${logDir}/${componentName}" />
+
+
+ <!-- Example evaluator filter applied against console appender -->
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+ <encoder>
+ <pattern>${errorLogPattern}</pattern>
+ </encoder>
+ </appender>
+
+ <!-- ============================================================================ -->
+ <!-- EELF Appenders -->
+ <!-- ============================================================================ -->
+
+ <!-- The EELFAppender is used to record events to the general application
+ log -->
+
+ <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${generalLogName}.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip
+</fileNamePattern>
+ <maxHistory>60</maxHistory>
+ </rollingPolicy>
+ <encoder>
+ <pattern>${errorLogPattern}</pattern>
+ </encoder>
+ </appender>
+ <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender">
+ <!-- deny all events with a level below INFO, that is TRACE and DEBUG -->
+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+ <level>INFO</level>
+ </filter>
+ <queueSize>256</queueSize>
+ <appender-ref ref="EELF" />
+ </appender>
+
+
+ <!-- EELF Audit Appender. This appender is used to record audit engine related
+ logging events. The audit logger and appender are specializations of the
+ EELF application root logger and appender. This can be used to segregate
+ Policy engine events from other components, or it can be eliminated to record
+ these events as part of the application root log. -->
+
+ <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${auditLogName}.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip
+</fileNamePattern>
+ <maxHistory>60</maxHistory>
+ </rollingPolicy>
+ <encoder>
+ <pattern>${auditMetricPattern}</pattern>
+ </encoder>
+ </appender>
+ <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender">
+ <queueSize>256</queueSize>
+ <appender-ref ref="EELFAudit" />
+ </appender>
+
+ <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${metricsLogName}.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip
+</fileNamePattern>
+ <maxHistory>60</maxHistory>
+ </rollingPolicy>
+ <encoder>
+ <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> -->
+ <pattern>${auditMetricPattern}</pattern>
+ </encoder>
+ </appender>
+
+
+ <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender">
+ <queueSize>256</queueSize>
+ <appender-ref ref="EELFMetrics" />
+ </appender>
+
+ <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${debugLogName}.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip
+</fileNamePattern>
+ <maxHistory>60</maxHistory>
+ </rollingPolicy>
+ <encoder>
+ <pattern>${errorLogPattern}</pattern>
+ </encoder>
+ </appender>
+
+ <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender">
+ <queueSize>256</queueSize>
+ <appender-ref ref="EELFDebug" />
+ <includeCallerData>false</includeCallerData>
+ </appender>
+
+ <!-- ============================================================================ -->
+ <!-- EELF loggers -->
+ <!-- ============================================================================ -->
+ <logger name="com.att.eelf" level="info" additivity="false">
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="STDOUT" />
+ </logger>
+
+ <logger name="com.att.eelf.audit" level="info" additivity="false">
+ <appender-ref ref="asyncEELFAudit" />
+ </logger>
+ <logger name="com.att.eelf.metrics" level="info" additivity="false">
+ <appender-ref ref="asyncEELFMetrics" />
+ </logger>
+
+ <!-- Spring related loggers -->
+ <logger name="org.springframework" level="WARN" />
+ <logger name="org.springframework.beans" level="WARN" />
+ <logger name="org.springframework.web" level="WARN" />
+ <logger name="com.blog.spring.jms" level="WARN" />
+
+ <!-- Sparky loggers -->
+ <logger name="org.onap" level="INFO">
+ <appender-ref ref="STDOUT" />
+ </logger>
+
+ <!-- Other Loggers that may help troubleshoot -->
+ <logger name="net.sf" level="WARN" />
+ <logger name="org.apache.commons.httpclient" level="WARN" />
+ <logger name="org.apache.commons" level="WARN" />
+ <logger name="org.apache.coyote" level="WARN" />
+ <logger name="org.apache.jasper" level="WARN" />
+
+ <!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging.
+ May aid in troubleshooting) -->
+ <logger name="org.apache.camel" level="WARN" />
+ <logger name="org.apache.cxf" level="WARN" />
+ <logger name="org.apache.camel.processor.interceptor" level="WARN" />
+ <logger name="org.apache.cxf.jaxrs.interceptor" level="WARN" />
+ <logger name="org.apache.cxf.service" level="WARN" />
+ <logger name="org.restlet" level="WARN" />
+ <logger name="org.apache.camel.component.restlet" level="WARN" />
+
+ <!-- logback internals logging -->
+ <logger name="ch.qos.logback.classic" level="WARN" />
+ <logger name="ch.qos.logback.core" level="WARN" />
+
+ <root>
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="STDOUT" />
+ <!-- <appender-ref ref="asyncEELFDebug" /> -->
+ </root>
+
+</configuration>
\ No newline at end of file
ext_req_read_timeout=20000
#Add AAF namespace if the app is centralized
-auth_namespace={{.Values.config.aafNamespace}}
+auth_namespace={{ .Values.certInitializer.fqi_namespace }}
# AAF Environment Designation
#if you are running aaf service from a docker image you have to use aaf service IP and port number
-aaf_id={{.Values.config.aafUsername}}
+aaf_id={{ .Values.certInitializer.fqi }}
#Encrypt the password using AAF Jar
-aaf_password={{.Values.config.aafPassword}}
+aaf_password={{ .Values.certInitializer.aafDeployPass }}
# Sample CADI Properties, from CADI 1.4.2
#hostname=org.onap.aai.orr
csp_domain=PROD
# Add Absolute path to Keyfile
-cadi_keyfile={{.Values.config.cadiKeyFile}}
+cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile
+cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+cadi_keystore_password=${KEYSTORE_PASSWORD}
+
+cadi_alias={{ .Values.certInitializer.fqi }}
# This is required to accept Certificate Authentication from Certman certificates.
# can be TEST, IST or PROD
cadi_loglevel=DEBUG
# Add Absolute path to truststore2018.jks
-cadi_truststore={{.Values.config.cadiTrustStore}}
+cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs
-cadi_truststore_password={{.Values.config.cadiTrustStorePassword}}
+cadi_truststore_password=${TRUSTSTORE_PASSWORD}
# how to turn on SSL Logging
#javax.net.debug=ssl
# limitations under the License.
*/}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-prop
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/application-resources.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/application-ssl.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/application-oxm-default.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/application-oxm-override.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/application-oxm-schema-prod.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/roles.config").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/users.config").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: ConfigMap
release: {{ include "common.release" . }}
heritage: {{ .Release.Service }}
data:
-{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: ConfigMap
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
+ | xargs -0)
+ if [ -z "$KEYSTORE_PASSWORD" ]
+ then
+ echo " /!\ certificates retrieval failed"
+ exit 1
+ fi
+ echo "*** write them in portal part"
+ cd /config-input
+ for PFILE in `ls -1 .`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: portal-config-input
+ - mountPath: /config
+ name: portal-config
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
- command:
- /app/ready.py
args:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-
- volumeMounts:
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \
+ | xargs -0)
+ echo "*** actual launch of AAI Sparky BE"
+ /opt/app/sparky/bin/start.sh
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- - mountPath: /opt/app/sparky/config/auth/client-cert-onap.p12
- name: {{ include "common.fullname" . }}-auth-config
- subPath: client-cert-onap.p12
-
- mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties
- name: {{ include "common.fullname" . }}-auth-config
+ name: auth-config
subPath: csp-cookie-filter.properties
-
- - mountPath: /opt/app/sparky/config/auth/org.onap.aai.p12
- name: {{ include "common.fullname" . }}-auth-config
- subPath: org.onap.aai.p12
-
- - mountPath: /opt/app/sparky/config/auth/truststoreONAPall.jks
- name: aai-common-aai-auth-mount
- subPath: truststoreONAPall.jks
-
- mountPath: /opt/app/sparky/config/portal/
- name: {{ include "common.fullname" . }}-portal-config
-
+ name: portal-config
- mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/
- name: {{ include "common.fullname" . }}-portal-config-props
-
+ name: portal-config-props
- mountPath: /var/log/onap
- name: {{ include "common.fullname" . }}-logs
-
+ name: logs
- mountPath: /opt/app/sparky/config/application.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application.properties
-
- mountPath: /opt/app/sparky/config/application-resources.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application-resources.properties
-
- mountPath: /opt/app/sparky/config/application-ssl.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application-ssl.properties
-
- mountPath: /opt/app/sparky/config/application-oxm-default.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application-oxm-default.properties
-
- mountPath: /opt/app/sparky/config/application-oxm-override.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application-oxm-override.properties
-
- mountPath: /opt/app/sparky/config/application-oxm-schema-prod.properties
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: application-oxm-schema-prod.properties
-
- mountPath: /opt/app/sparky/config/roles.config
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: roles.config
-
- mountPath: /opt/app/sparky/config/users.config
- name: {{ include "common.fullname" . }}-properties
+ name: config
subPath: users.config
-
+ - mountPath: /opt/app/sparky/config/logging/logback.xml
+ name: config
+ subPath: logback.xml
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
subPath: filebeat.yml
name: filebeat-conf
- mountPath: /var/log/onap
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /usr/share/filebeat/data
name: aai-sparky-filebeat
resources:
{{ include "common.resources" . }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
-
- - name: {{ include "common.fullname" . }}-properties
- configMap:
- name: {{ include "common.fullname" . }}-prop
-
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
name: {{ include "common.fullname" . }}
-
- - name: {{ include "common.fullname" . }}-portal-config
+ - name: portal-config
+ emptyDir:
+ medium: Memory
+ - name: portal-config-input
configMap:
name: {{ include "common.fullname" . }}-portal
-
- - name: {{ include "common.fullname" . }}-portal-config-props
+ - name: portal-config-props
configMap:
name: {{ include "common.fullname" . }}-portal-props
-
- - name: {{ include "common.fullname" . }}-auth-config
+ - name: auth-config
secret:
secretName: {{ include "common.fullname" . }}
-
- - name: aai-common-aai-auth-mount
- secret:
- secretName: aai-common-aai-auth
-
- name: filebeat-conf
configMap:
name: aai-filebeat
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- name: aai-sparky-filebeat
emptyDir: {}
searchData:
serviceName: aai-search-data
+
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-sparky-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: "aai"
+ app_ns: "org.osaaf.aaf"
+ fqi_namespace: "org.onap.aai"
+ fqi: "aai@aai.onap.org"
+ public_fqdn: "aaf.osaaf.org"
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ credsPath: /opt/app/osaaf/local
+ aaf_add_config: |
+ echo "*** changing passwords into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** save the generated passwords"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
+
# application image
image: onap/sparky-be:2.0.3
pullPolicy: Always
portalPassword: OBF:1t2v1vfv1unz1vgz1t3b
portalCookieName: UserId
portalAppRoles: ui_view
- aafUsername: aai@aai.onap.org
- aafNamespace: org.onap.aai
- aafPassword: enc:xxYw1FqXU5UpianbPeH5Rezg0YfjzuwQrSiLcCmJGfz
- cadiKeyFile: /opt/app/sparky/config/portal/keyFile
- cadiTrustStore: /opt/app/sparky/config/auth/truststoreONAPall.jks
cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
- cadiTrustStorePassword: changeit
cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor
# ONAP Cookie Processing - During initial development, the following flag, if true, will
--- /dev/null
+spring.autoconfigure.exclude=\
+ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+
+multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }}
+keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth
+keycloak.realm={{ .Values.config.keycloak.realm }}
+keycloak.resource={{ .Values.config.keycloak.resource }}
+keycloak.public-client=false
+keycloak.principal-attribute=preferred_username
+
+keycloak.ssl-required=external
+keycloak.bearer-only=true
{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
---
apiVersion: v1
- mountPath: /opt/app/aai-traversal/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
+ - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties
+ name: {{ include "common.fullname" . }}-config
+ subPath: application-keycloak.properties
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth
+ active: production,dmaap,aaf-auth #,keycloak
# Notification event specific properties
notification:
credsPath: /opt/app/osaaf/local
fqi_namespace: org.onap.aai-traversal
aaf_add_config: |
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** save the generated passwords"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 {{ .Values.credsPath }}
# application configuration
config:
+ # configure keycloak according to your environment.
+ # don't forget to add keycloak in active profiles above (global.config.profiles)
+ keycloak:
+ host: keycloak.your.domain
+ port: 8180
+ # Specifies a set of users, credentials, roles, and groups
+ realm: aai-traversal
+ # Used by any client application for enabling fine-grained authorization for their protected resources
+ resource: aai-traversal-app
+ # If set to true, additional criteria will be added into traversal query to returns all the vertices that match
+ # the data-owner property with the given role to the user in keycloak
+ multiTenancy:
+ enabled: true
+
# Specifies timeout information such as application specific and limits
timeout:
# If set to true application will timeout for queries taking longer than limit
cadi_longitude: "-72.0"
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving password for keystore"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- cd {{ .Values.credsPath }};
- mkdir -p certs;
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key file"
- cp {{ .Values.fqi_namespace }}.key certs/key.pem;
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
- fi
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key file"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/key.pem
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
#################################################################
# Application configuration defaults.
waiting_bundles=$(/opt/opendaylight/current/bin/client bundle:list | grep Waiting | wc -l)
run_level=$(/opt/opendaylight/current/bin/client system:start-level)
- if [ "$run_level" == "Level 100" ] && [ "$waiting_bundles" -lt "1" ]
+ if [ "$run_level" = "Level 100" ] && [ "$waiting_bundles" -lt "1" ]
then
echo APPC is healthy.
else
+#!/bin/sh
+
{{/*
###
# ============LICENSE_START=======================================================
#set -x
*/}}
-function enable_odl_cluster(){
+enable_odl_cluster () {
if [ -z $APPC_REPLICAS ]; then
echo "APPC_REPLICAS is not configured in Env field"
exit
node_index=($(echo ${hm} | awk -F"-" '{print $NF}'))
node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}";
- for ((i=1;i<${APPC_REPLICAS};i++));
+ for i in $(seq 1 $((${APPC_REPLICAS}-1)));
do
node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"
done
# Wait for database to init properly
#
echo "Waiting for mariadbgalera"
-until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null
+until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1
do
printf "."
sleep 1
show databases like 'sdnctl';
END
)
- if [ "x${sdnc_db_exists}" == "x" ]
+ if [ "x${sdnc_db_exists}" = "x" ]
then
echo "Installing SDNC database"
${SDNC_HOME}/bin/installSdncDb.sh
show databases like 'appcctl';
END
)
- if [ "x${appc_db_exists}" == "x" ]
+ if [ "x${appc_db_exists}" = "x" ]
then
echo "Installing APPC database"
${APPC_HOME}/bin/installAppcDb.sh
+#!/bin/sh
+
{{/*
###
# ============LICENSE_START=======================================================
+#!/bin/sh
+
{{/*
###
# ============LICENSE_START=======================================================
disableNfsProvisioner: true
serviceAccount:
nameOverride: *appc-db
+ replicaCount: 1
dgbuilder:
nameOverride: appc-dgbuilder
- containerPort: {{ .Values.service.http.internalPort }}
- containerPort: {{ .Values.service.grpc.internalPort }}
- containerPort: {{ .Values.service.cluster.internalPort }}
+ startupProbe:
+ httpGet:
+ path: /api/v1/execution-service/health-check
+ port: {{ .Values.service.http.internalPort }}
+ httpHeaders:
+ - name: Authorization
+ value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw==
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-blueprintsprocessor:1.1.1
+image: onap/ccsdk-blueprintsprocessor:1.1.4
pullPolicy: Always
# flag to enable debugging - application support required
# dbRootPassExternalSecret
# default number of instances
-replicaCount: 3
+replicaCount: 1
nodeSelector: {}
# probe configuration parameters
+startup:
+ initialDelaySeconds: 10
+ failureThreshold: 30
+ periodSeconds: 10
+
liveness:
- initialDelaySeconds: 120
+ initialDelaySeconds: 0
periodSeconds: 20
timeoutSeconds: 20
# necessary to disable liveness probe when setting breakpoints
cluster:
# Cannot have cluster enabled if the replicaCount is not at least 3
- enabled: true
+ enabled: false
clusterName: cds-cluster
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-commandexecutor:1.1.1
+image: onap/ccsdk-commandexecutor:1.1.4
pullPolicy: Always
# application configuration
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-py-executor:1.1.1
+image: onap/ccsdk-py-executor:1.1.4
pullPolicy: Always
# default number of instances
# Application configuration defaults.
#################################################################
# application image
-image: onap/ccsdk-sdclistener:1.1.1
+image: onap/ccsdk-sdclistener:1.1.4
name: sdc-listener
pullPolicy: Always
{{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
# application image
-image: onap/ccsdk-cds-ui-server:1.1.1
+image: onap/ccsdk-cds-ui-server:1.1.4
pullPolicy: Always
# application configuration
serviceAccount:
nameOverride: *dbServer
+ mariadbConfiguration: |-
+ [client]
+ port=3306
+ socket=/opt/bitnami/mariadb/tmp/mysql.sock
+ plugin_dir=/opt/bitnami/mariadb/plugin
+
+ [mysqld]
+ lower_case_table_names = 1
+ default_storage_engine=InnoDB
+ basedir=/opt/bitnami/mariadb
+ datadir=/bitnami/mariadb/data
+ plugin_dir=/opt/bitnami/mariadb/plugin
+ tmpdir=/opt/bitnami/mariadb/tmp
+ socket=/opt/bitnami/mariadb/tmp/mysql.sock
+ pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid
+ bind_address=0.0.0.0
+
+ ## Character set
+ collation_server=utf8_unicode_ci
+ init_connect='SET NAMES utf8'
+ character_set_server=utf8
+
+ ## MyISAM
+ key_buffer_size=32M
+ myisam_recover_options=FORCE,BACKUP
+
+ ## Safety
+ skip_host_cache
+ skip_name_resolve
+ max_allowed_packet=16M
+ max_connect_errors=1000000
+ sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY
+ sysdate_is_now=1
+
+ ## Binary Logging
+ log_bin=mysql-bin
+ expire_logs_days=14
+ # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql
+ sync_binlog=0
+ # Required for Galera
+ binlog_format=row
+
+ ## Caches and Limits
+ tmp_table_size=32M
+ max_heap_table_size=32M
+ # Re-enabling as now works with Maria 10.1.2
+ query_cache_type=1
+ query_cache_limit=4M
+ query_cache_size=256M
+ max_connections=500
+ thread_cache_size=50
+ open_files_limit=65535
+ table_definition_cache=4096
+ table_open_cache=4096
+
+ ## InnoDB
+ innodb=FORCE
+ innodb_strict_mode=1
+ # Mandatory per https://github.com/codership/documentation/issues/25
+ innodb_autoinc_lock_mode=2
+ # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/
+ innodb_doublewrite=1
+ innodb_flush_method=O_DIRECT
+ innodb_log_files_in_group=2
+ innodb_log_file_size=128M
+ innodb_flush_log_at_trx_commit=1
+ innodb_file_per_table=1
+ # 80% Memory is default reco.
+ # Need to re-evaluate when DB size grows
+ innodb_buffer_pool_size=2G
+ innodb_file_format=Barracuda
+
+ ## Logging
+ log_error=/opt/bitnami/mariadb/logs/mysqld.log
+ slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log
+ log_queries_not_using_indexes=1
+ slow_query_log=1
+
+ ## SSL
+ ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem
+ # ssl_ca=/certs/ca.pem
+ # ssl_cert=/certs/server-cert.pem
+ # ssl_key=/certs/server-key.pem
+
+ [galera]
+ wsrep_on=ON
+ wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so
+ wsrep_sst_method=mariabackup
+ wsrep_slave_threads=4
+ wsrep_cluster_address=gcomm://
+ wsrep_cluster_name=galera
+ wsrep_sst_auth="root:"
+ # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit
+ innodb_flush_log_at_trx_commit=2
+ # MYISAM REPLICATION SUPPORT #
+ wsrep_replicate_myisam=ON
+
+ [mariadb]
+ plugin_load_add=auth_pam
+
+ ## Data-at-Rest Encryption
+ ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem
+ # plugin_load_add=file_key_management
+ # file_key_management_filename=/encryption/keyfile.enc
+ # file_key_management_filekey=FILE:/encryption/keyfile.key
+ # file_key_management_encryption_algorithm=AES_CTR
+ # encrypt_binlog=ON
+ # encrypt_tmp_files=ON
+
+ ## InnoDB/XtraDB Encryption
+ # innodb_encrypt_tables=ON
+ # innodb_encrypt_temporary_tables=ON
+ # innodb_encrypt_log=ON
+ # innodb_encryption_threads=4
+ # innodb_encryption_rotate_key_age=1
+
+ ## Aria Encryption
+ # aria_encrypt_tables=ON
+ # encrypt_tmp_disk_tables=ON
+
cds-blueprints-processor:
enabled: true
config:
cadi_latitude: "0.0"
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving password for keystore and trustore"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
- -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
- -alias ca_local_0 \
- -storepass $cadi_truststore_password
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** generating needed file"
- cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
- {{ .Values.credsPath }}/certs/cert.pem \
- {{ .Values.credsPath }}/certs/cacert.pem \
- > {{ .Values.credsPath }}/certs/fullchain.pem;
- cat {{ .Values.credsPath }}/certs/fullchain.pem
- echo "*** change ownership of certificates to targeted user"
- chown -R 33 {{ .Values.credsPath }}
- fi
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** generating needed file"
+ cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/cert.pem \
+ {{ .Values.credsPath }}/certs/cacert.pem \
+ > {{ .Values.credsPath }}/certs/fullchain.pem;
+ cat {{ .Values.credsPath }}/certs/fullchain.pem
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 33 {{ .Values.credsPath }}
#################################################################
EXCLUDES :=
PROCESSED_LAST := cert-wrapper repository-wrapper
-PROCESSED_FIRST := repositoryGenerator readinessCheck certInitializer
+PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer
TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST)
HELM_BIN := helm
ss="snapshots"
me=`basename $0`
-function find_target_table_name()
+find_target_table_name ()
{
dest_path=$1
keyspace_name=$2
printf $dest_table_name
}
-function print_usage()
+print_usage ()
{
echo "NAME"
echo " Script to restore Cassandra database from Nuvo/Cain snapshot"
done
# Validate inputs
-if [ "$base_db_dir" == "" ] || [ "$ss_dir" == "" ] || [ "$keyspace_name" == "" ]
+if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ]
then
echo ""
echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>"
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
successThreshold: {{ .Values.readiness.successThreshold }}
failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
env:
{{- $seed_size := default 1 .Values.replicaCount | int -}}
{{- $global := . }}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
enabled: true
readiness:
- initialDelaySeconds: 120
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 90
+
service:
name: cassandra
headless:
## storageClass: "-"
## Not set as it depends of the backup enabledment or not.
accessMode: ReadWriteOnce
- size: 2Gi
+ size: 10Gi
mountPath: /dockerdata-nfs
mountSubPath: cassandra
storageType: local
*/}}
CERTS_DIR=${CERTS_DIR:-/certs}
+MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs}
WORK_DIR=${WORK_DIR:-/updatedTruststore}
ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks}
JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts}
for f in $CERTS_DIR/*; do
export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/')
export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/')
- if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then
+ if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then
# Dont use onap truststore when aaf is disabled
continue
fi
- if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then
+ if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then
# Dont use onap truststore when aaf is disabled
continue
fi
- if [ ${f: -3} == ".sh" ]; then
+ if [ ${f: -3} = ".sh" ]; then
continue
fi
- if [ ${f: -4} == ".b64" ]
+ if [ ${f: -4} = ".b64" ]
then
base64 -d $f > $WORK_DIR/`basename $f .b64`
else
fi
done
+for f in $MORE_CERTS_DIR/*; do
+ if [ ${f: -4} == ".pem" ]
+ then
+ cp $f $WORK_DIR/.
+ fi
+done
+
# Prepare truststore output file
-if [ "$AAF_ENABLED" == "true" ]
+if [ "$AAF_ENABLED" = "true" ]
then
- mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
+ echo "AAF is enabled, use 'AAF' truststore"
+ export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE}
else
echo "AAF is disabled, using JRE truststore"
cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
# Import Custom Certificates
for f in $WORK_DIR/*; do
- if [ ${f: -4} == ".pem" ]; then
+ if [ ${f: -4} = ".pem" ]; then
echo "importing certificate: $f"
keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt
if [ $? != 0 ]; then
--- /dev/null
+#!/bin/sh
+
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "*** retrieving certificates and keys"
+export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0)
+export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0)
+export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0)
+echo "*** creating tls secret"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ tpl .Values.ingressTlsSecret . }}
+ namespace: {{ include "common.namespace" . }}
+data:
+ ca.crt: "${CACERT}"
+ tls.crt: "${CRT}"
+ tls.key: '${KEY}'
+type: kubernetes.io/tls
+EOF
+#!/bin/sh
+
{{/*
# Copyright © 2021 Orange
#
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
-#!/bin/sh
+*/ -}}
echo "*** retrieving passwords for certificates"
export $(/opt/app/aaf_config/bin/agent.sh local showpass \
--- /dev/null
+#!/bin/sh
+
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "--- Cert transformation for use with Ingress"
+echo "*** transform AAF certs into pem files"
+mkdir -p {{ .Values.credsPath }}/certs
+keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/tls.key
+echo "--- Done"
{{/*
# Copyright © 2020 Bell Canada, Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
subPath: retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
+ subPath: tls_certs_configure.sh
+{{- end }}
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
- |
/opt/app/aaf_config/bin/agent.sh
. /opt/app/aaf_config/bin/retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ /opt/app/aaf_config/bin/tls_certs_configure.sh
+{{- end -}}
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
volumeMounts:
- mountPath: /certs
name: aaf-agent-certs
+ - mountPath: /more_certs
+ name: provided-custom-certs
- mountPath: /root/import-custom-certs.sh
name: aaf-agent-certs
subPath: import-custom-certs.sh
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
+{{- if $dot.Values.global.importCustomCertsEnabled }}
+- name: provided-custom-certs
+{{- if $dot.Values.global.customCertsSecret }}
+ secret:
+ secretName: {{ $dot.Values.global.customCertsSecret }}
+{{- else }}
+{{- if $dot.Values.global.customCertsConfigMap }}
+ configMap:
+ name: {{ $dot.Values.global.customCertsConfigMap }}
+{{- else }}
+ emptyDir:
+ medium: Memory
+{{- end }}
+{{- end }}
+{{- end }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
{{/*
# Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }}
+{{- end }}
{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "ingress" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }}
+{{- end }}
--- /dev/null
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if hasKey .Values "ingressTlsSecret" }}
+apiVersion: batch/v1
+kind: Job
+{{- $suffix := "set-tls-secret" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+spec:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ containers:
+ - name: create tls secret
+ command:
+ - /ingress/onboard.sh
+ image: {{ include "repositoryGenerator.image.kubectl" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }}
+ - name: ingress-scripts
+ mountPath: /ingress
+ volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: ingress-scripts
+ configMap:
+ name: {{ include "common.fullname" . }}-ingress
+ defaultMode: 0777
+{{- end}}
global:
aafAgentImage: onap/aaf/aaf_agent:2.1.20
aafEnabled: true
+ # Give the name of a config map where certInitializer will onboard all certs
+ # given (certs must be in pem format)
+ customCertsConfigMap:
+ # Give the name of a secret where certInitializer will onboard all certs given
+ # (certs must be in pem format)
+ # this one superseedes previous one (so if both are given, only certs from
+ # secret will be onboarded).
+ customCertsSecret:
+
pullPolicy: Always
- aaf-cm
- aaf-service
-aafDeployFqi: "changeme"
fqdn: ""
app_ns: "org.osaaf.aaf"
fqi: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
envVarToCheck: cadi_keystore_password_p12
+# ingressTlsSecret:
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.
- name: common
version: ~8.x-0
repository: 'file://../common'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: 'file://../cmpv2Config'
#
# To request a certificate following steps are to be done:
# - create an object 'certificates' in the values.yaml
-# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate".
#
# Here is an example of the certificate request for a component:
#
# passwordSecretRef:
# name: secret-name
# key: secret-key
+# create: true
#
# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
# Other mandatory fields for the certificate definition do not have to be defined directly,
{{/*# General certifiacate attributes #*/}}
{{- $name := include "common.fullname" $dot -}}
{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
-{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}}
{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
{{- if $certificate.issuer -}}
{{- $issuer = $certificate.issuer -}}
{{- end -}}
----
-{{- if $certificate.keystore }}
+{{/*# Secret #*/}}
+{{ if $certificate.keystore -}}
{{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
- {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+ {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}}
+ {{- if $passwordSecretRef.create }}
apiVersion: v1
kind: Secret
metadata:
type: Opaque
stringData:
{{ $passwordSecretRef.key }}: {{ $password }}
-{{- end }}
+ {{- end }}
+{{ end -}}
---
apiVersion: cert-manager.io/v1
kind: Certificate
{{- if $duration }}
duration: {{ $duration }}
{{- end }}
+ {{- if $certificate.isCA }}
+ isCA: {{ $certificate.isCA }}
+ {{- end }}
+ {{- if $certificate.usages }}
+ usages:
+ {{- range $usage := $certificate.usages }}
+ - {{ $usage }}
+ {{- end }}
+ {{- end }}
subject:
organizations:
- {{ $subject.organization }}
{{- end }}
{{- end }}
issuerRef:
+ {{- if not (eq $issuer.kind "Issuer" ) }}
group: {{ $issuer.group }}
+ {{- end }}
kind: {{ $issuer.kind }}
name: {{ $issuer.name }}
{{- if $certificate.keystore }}
{{ $outputType }}:
create: true
passwordSecretRef:
- name: {{ $certificate.keystore.passwordSecretRef.name }}
+ name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }}
key: {{ $certificate.keystore.passwordSecretRef.key }}
{{- end }}
{{- end }}
{{ end }}
{{- end -}}
+{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}}
+
{{- define "common.certManager.volumeMounts" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
sources:
- secret:
name: {{ $certificatesSecretName }}
- {{- if $certificate.keystore }}
items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
{{- range $outputType := $certificate.keystore.outputType }}
- key: keystore.{{ $outputType }}
path: keystore.{{ $outputType }}
{{- end -}}
{{ $certsLinkCommand }}
{{- end -}}
+
+{{/*Using templates below allows only read access to volume mounted at $mountPath*/}}
+
+{{- define "common.certManager.volumeMountsReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumesReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
- name: repositoryGenerator
version: ~8.x-0
repository: 'file://../repositoryGenerator'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: 'file://../cmpv2Config'
{{- define "common.certServiceClient.initContainer" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
{{- range $index, $certificate := $dot.Values.certificates -}}
{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
-{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
-{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
-{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
-{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
-{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}}
+{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}}
+{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}}
+{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}}
+{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}}
+{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}}
+{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}}
- name: certs-init-{{ $index }}
image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
- name: KEYSTORE_PATH
value: {{ $keystorePath | quote }}
- name: KEYSTORE_PASSWORD
- value: {{ $keystorePassword | quote }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $keystorePasswordSecret | quote}}
+ key: {{ $keystorePasswordSecretKey | quote}}
- name: TRUSTSTORE_PATH
value: {{ $truststorePath | quote }}
- name: TRUSTSTORE_PASSWORD
- value: {{ $truststorePassword | quote }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $truststorePasswordSecret | quote}}
+ key: {{ $truststorePasswordSecretKey | quote}}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
{{- define "common.certServiceClient.volumes" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}}
- name: certservice-tls-volume
secret:
secretName: {{ $certificatesSecretName }}
{{- define "common.certServiceClient.volumeMounts" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
{{- range $index, $certificate := $dot.Values.certificates -}}
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
-#################################################################
-# Global configuration default values that can be inherited by
-# all subcharts.
-#################################################################
-global:
- # Enabling CMPv2
- cmpv2Enabled: true
- CMPv2CertManagerIntegration: false
-
- certificate:
- default:
- subject:
- organization: "Linux-Foundation"
- country: "US"
- locality: "San-Francisco"
- province: "California"
- organizationalUnit: "ONAP"
-
- platform:
- certServiceClient:
- secret:
- name: oom-cert-service-client-tls-secret
- mountPath: /etc/onap/oom/certservice/certs/
- envVariables:
- certPath: "/var/custom-certs"
- # Client configuration related
- caName: "RA"
- requestURL: "https://oom-cert-service:8443/v1/certificate/"
- requestTimeout: "30000"
- keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
- outputType: "P12"
- keystorePassword: "secret"
- truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
- truststorePassword: "secret"
# See the License for the specific language governing permissions and
# limitations under the License.
global:
+
+ # Enabling CMPv2
+ cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
+
+ certificate:
+ default:
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+
platform:
+ certificates:
+ clientSecretName: oom-cert-service-client-tls-secret
+ keystoreKeyRef: keystore.jks
+ truststoreKeyRef: truststore.jks
+ keystorePasswordSecretName: oom-cert-service-keystore-password
+ keystorePasswordSecretKey: password
+ truststorePasswordSecretName: oom-cert-service-truststore-password
+ truststorePasswordSecretKey: password
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
- secretName: oom-cert-service-client-tls-secret
+ certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
envVariables:
+ certPath: "/var/custom-certs"
# Certificate related
- cmpv2Organization: "Linux-Foundation"
- cmpv2OrganizationalUnit: "ONAP"
- cmpv2Location: "San-Francisco"
- cmpv2State: "California"
- cmpv2Country: "US"
+ caName: "RA"
# Client configuration related
requestURL: "https://oom-cert-service:8443/v1/certificate/"
requestTimeout: "30000"
- keystorePassword: "secret"
- truststorePassword: "secret"
+ outputType: "P12"
certPostProcessor:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
*/}}
{{- define "common.masterPassword" -}}
{{ if .Values.masterPasswordOverride }}
- {{- printf "%d" .Values.masterPasswordOverride -}}
+ {{- printf "%s" .Values.masterPasswordOverride -}}
{{ else if .Values.global.masterPassword }}
- {{- printf "%d" .Values.global.masterPassword -}}
+ {{- printf "%s" .Values.global.masterPassword -}}
{{ else if .Values.masterPassword }}
- {{- printf "%d" .Values.masterPassword -}}
+ {{- printf "%s" .Values.masterPassword -}}
{{ else if eq "testRelease" (include "common.release" .) }}
{{/* Special case for chart liniting. DON"T NAME YOUR PRODUCTION RELEASE testRelease */}}
{{- printf "testRelease" -}}
*/}}
{{- define "common.mariadbService" -}}
{{- if .Values.global.mariadbGalera.localCluster -}}
- {{- index .Values "mariadb-galera" "service" "name" -}}
+ {{- index .Values "mariadb-galera" "nameOverride" -}}
{{- else -}}
{{- .Values.global.mariadbGalera.service -}}
{{- end -}}
livenessProbe:
exec:
command:
- - bash
+ - sh
- -ec
- |
exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
readinessProbe:
exec:
command:
- - bash
+ - sh
- -ec
- |
exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
+ {{- if .Values.startupProbe.enabled }}
+ startupProbe:
+ exec:
+ command:
+ - sh
+ - -ec
+ - |
+ exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
+ initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.startupProbe.successThreshold }}
+ failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+ {{- end }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
- name: previous-boot
innodb_flush_log_at_trx_commit=2
# MYISAM REPLICATION SUPPORT #
wsrep_replicate_myisam=ON
+ binlog_format=row
+ default_storage_engine=InnoDB
+ innodb_autoinc_lock_mode=2
+ transaction-isolation=READ-COMMITTED
+ wsrep_causal_reads=1
+ wsrep_sync_wait=7
[mariadb]
plugin_load_add=auth_pam
resources:
small:
limits:
- cpu: 500m
- memory: 2.5Gi
+ cpu: 1
+ memory: 4Gi
requests:
- cpu: 100m
- memory: 750Mi
+ cpu: 500m
+ memory: 2Gi
large:
limits:
cpu: 2
- memory: 4Gi
+ memory: 6Gi
requests:
cpu: 1
- memory: 2Gi
+ memory: 3Gi
unlimited: {}
## MariaDB Galera containers' liveness and readiness probes
##
livenessProbe:
enabled: true
- ## Initializing the database could take some time
- ##
- initialDelaySeconds: 150
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
enabled: true
- initialDelaySeconds: 60
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
+startupProbe:
+ ## Initializing the database could take some time
+ ##
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before
+ # stating startup wasn't good (910s per default)
+ failureThreshold: 90
## Pod disruption budget configuration
##
command:
- /app/ready.py
args:
- - --timeout
- - "{{ .Values.readinessTimeout }}"
- --container-name
- music-cassandra
env:
restartPolicy: Never
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
-
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
successThreshold: {{ .Values.readiness.successThreshold }}
failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
lifecycle:
preStop:
exec:
nodePortPrefix: 302
persistence: {}
-replicaCount: 3
+replicaCount: 1
# Cassandra Image - This image is modified from the original on
# Docker Hub where the Security has been turned on.
# probe configuration parameters
liveness:
- initialDelaySeconds: 120
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
# in debugger so K8s doesn't restart unresponsive container
enabled: true
-readinessTimeout: 240
-
readiness:
- initialDelaySeconds: 10
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 90
+
podManagementPolicy: OrderedReady
updateStrategy:
type: OnDelete
# Debug Setup. Uses env variables
# DEBUG and DEBUG_PORT
# DEBUG=true/false | DEBUG_PORT=<Port valie must be integer>
-if [ "${DEBUG}" == "true" ]; then
- if [ "${DEBUG_PORT}" == "" ]; then
+if [ "${DEBUG}" = "true" ]; then
+ if [ "${DEBUG_PORT}" = "" ]; then
DEBUG_PORT=8000
fi
echo "Debug mode on"
credsPath: /opt/app/osaaf/local
appMountPath: /opt/app/aafcertman
aaf_add_config: >
- cd {{ .Values.credsPath }};
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1;
+ echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass;
{{/*
# Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2021 AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
{{- end -}}
+{{- define "repositoryGenerator.image.dcaepolicysync" -}}
+ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }}
+{{- end -}}
+
{{- define "repositoryGenerator.image.envsubst" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }}
{{- end -}}
# Copyright © 2020 Orange
-# Copyright © 2021 Nokia
+# Copyright © 2021 Nokia, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
nginxImage: bitnami/nginx:1.18-debian-10
postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
readinessImage: onap/oom/readiness:3.0.1
+ dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
# Default credentials
# they're optional. If the target repository doesn't need them, comment them
nginxImage: dockerHubRepository
postgresImage: dockerHubRepository
readinessImage: repository
+ dcaePolicySyncImage: repository
--- /dev/null
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Wrapper chart to allow default roles to be shared among onap instances
+name: roles-wrapper
+version: 8.0.0
--- /dev/null
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~8.x-0
+ repository: 'file://../common'
--- /dev/null
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- $dot := . -}}
+{{- range $role_type := $dot.Values.roles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }}
+ namespace: {{ include "common.namespace" $dot }}
+rules:
+{{- if eq $role_type "read" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ verbs:
+ - get
+ - watch
+ - list
+{{- else }}
+{{- if eq $role_type "create" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ - secrets
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - patch
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - deployments
+ - secrets
+ verbs:
+ - create
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods
+ - persistentvolumeclaims
+ - secrets
+ - deployment
+ verbs:
+ - delete
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods/exec
+ verbs:
+ - create
+{{- else }}
+# if you don't match read or create, then you're not allowed to use API
+# except to see basic information about yourself
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
+ verbs:
+ - create
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+roles:
+ - nothing
+ - read
+ - create
{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* retrieve the names for generic roles */}}
+{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
+{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: RoleBinding
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
subjects:
- kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
roleRef:
kind: Role
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ $name }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
+
# limitations under the License.
*/}}
-{{- $dot := . -}}
+{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* Default roles are already created, just creating specific ones */}}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
rules:
-{{- if eq $role_type "read" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- verbs:
- - get
- - watch
- - list
-{{- else }}
-{{- if eq $role_type "create" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- - secrets
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - statefulsets
- verbs:
- - patch
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - deployments
- - secrets
- verbs:
- - create
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - pods
- - persistentvolumeclaims
- - secrets
- - deployment
- verbs:
- - delete
+{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
+{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
+{{- else}}
+# if no rules are provided, you're back to 'nothing' role
- apiGroups:
- - "" # "" indicates the core API group
- - apps
+ - authorization.k8s.io
resources:
- - pods/exec
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
verbs:
- create
-{{- else }}
-{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
-{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
-{{- else}}
-# if you don't match read or create, then you're not allowed to use API
-- apiGroups: []
- resources: []
- verbs: []
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
-{{- end }}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+{{- end }}
\ No newline at end of file
# See the License for the specific language governing permissions and
# limitations under the License.
+# Default roles will be created by roles wrapper
+# It won't work if roles wrapper is disabled.
roles:
- nothing
# - read
# - create
+defaultRoles:
+ - nothing
+ - read
+ - create
+
new_roles_definitions: {}
# few-read:
# - apiGroups:
#argument: yaml file
#calling syntax: parse_yaml <yaml_file_name>
-function parse_yaml {
+parse_yaml () {
local prefix=$2
local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034')
sed -ne "s|^\($s\):|\1|" \
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
+#!/bin/sh
+
{{/*
# Copyright © 2019 Bell Canada
#
replicaCount: 1
ejbca:
- image: primekey/ejbca-ce:6.15.2.5
+ image: primekey/ejbca-ce:7.4.3.2
pullPolicy: Always
mariadb-galera:
target_machine_notice_info
}
-if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then
+if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then
usage
-elif [[ $# -eq 1 ]] && [[ $1 == "--info" ]]; then
+elif [[ $# -eq 1 ]] && [[ $1 = "--info" ]]; then
target_machine_notice_info
else
deploy $@
generate_config_map $@
}
-if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then
+if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then
usage
elif [[ $# -eq 0 ]]; then
automatic_configuration
BASE_URL="https://nexus3.onap.org/repository/docker.release"
-if [ "$GERRIT_BRANCH" == "staging" ]; then
+if [ "$GERRIT_BRANCH" = "staging" ]; then
exit 0
fi
helm init --service-account tiller
kubectl -n kube-system rollout status deploy/tiller-deploy
echo "upgrade server side of helm in kubernetes"
- if [ "$USERNAME" == "root" ]; then
+ if [ "$USERNAME" = "root" ]; then
helm version
else
sudo helm version
fi
echo "sleep 30"
sleep 30
- if [ "$USERNAME" == "root" ]; then
+ if [ "$USERNAME" = "root" ]; then
helm init --upgrade
else
sudo helm init --upgrade
echo "sleep 30"
sleep 30
echo "verify both versions are the same below"
- if [ "$USERNAME" == "root" ]; then
+ if [ "$USERNAME" = "root" ]; then
helm version
else
sudo helm version
fi
echo "start helm server"
- if [ "$USERNAME" == "root" ]; then
+ if [ "$USERNAME" = "root" ]; then
helm serve &
else
sudo helm serve &
echo "sleep 30"
sleep 30
echo "add local helm repo"
- if [ "$USERNAME" == "root" ]; then
+ if [ "$USERNAME" = "root" ]; then
helm repo add local http://127.0.0.1:8879
helm repo list
else
liquibase:
change-log: classpath:changelog/changelog-master.yaml
- labels: ${LIQUIBASE_LABELS}
+ labels: {{ .Values.config.liquibaseLabels }}
+
+security:
+ # comma-separated uri patterns which do not require authorization
+ permit-uri: /manage/health/**,/manage/info,/swagger-ui/**,/swagger-resources/**,/v3/api-docs
+ auth:
+ username: ${CPS_USERNAME}
+ password: ${CPS_PASSWORD}
# Actuator
management:
level:
org:
springframework: {{ .Values.logging.level }}
+
+{{- if .Values.config.additional }}
+{{ toYaml .Values.config.additional | nindent 2 }}
+{{- end }}
+
+# Last empty line is required otherwise the last property will be missing from application.yml file in the pod.
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }}
- name: LIQUIBASE_LABELS
value: {{ .Values.config.liquibaseLabels }}
+ - name: CPS_USERNAME
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }}
+ - name: CPS_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }}
volumeMounts:
- mountPath: /config-input
name: init-data-input
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- - name: CPS_USERNAME
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }}
- - name: CPS_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }}
+ - name: SPRING_PROFILES_ACTIVE
+ value: {{ .Values.config.spring.profile }}
resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }}
affinity: {{ toYaml .Values.affinity | nindent 12 }}
{{- end }}
volumeMounts:
- - mountPath: /app/resources/application.yml
- subPath: application.yml
+ - mountPath: /app/resources/application-helm.yml
+ subPath: application-helm.yml
name: init-data
- mountPath: /app/resources/logback.xml
subPath: logback.xml
virtualhost:
baseurl: "simpledemo.onap.org"
-image: onap/cps-and-nf-proxy:1.0.0
+image: onap/cps-and-nf-proxy:1.0.1
containerPort: &svc_port 8080
service:
# REST API basic authentication credentials (passsword is generated if not provided)
appUserName: cpsuser
+ spring:
+ profile: helm
#appUserPassword:
+# Any new property can be added in the env by setting in overrides in the format mentioned below
+# All the added properties must be in "key: value" format insead of yaml.
+# additional:
+# spring.config.max-size: 200
+# spring.config.min-size: 10
+
logging:
level: INFO
path: /tmp
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
*/}}
{{/*
+For internal use only!
+
+dcaegen2-services-common._ms-specific-env-vars:
+This template generates a list of microservice-specific environment variables
+as specified in .Values.applicationEnv. The
+dcaegen2-services-common.microServiceDeployment uses this template
+to add the microservice-specific environment variables to the microservice's container.
+These environment variables are in addition to a standard set of environment variables
+provided to all microservices.
+
+The template expects a single argument, pointing to the caller's global context.
+
+Microservice-specific environment variables can be specified in two ways:
+ 1. As literal string values.
+ 2. As values that are sourced from a secret, identified by the secret's
+ uid and the key within the secret that provides the value.
+
+The following example shows an example of each type. The example assumes
+that a secret has been created using the OOM common secret mechanism, with
+a secret uid "example-secret" and a key called "password".
+
+applicationEnv:
+ APPLICATION_PASSWORD:
+ secretUid: example-secret
+ key: password
+ APPLICATION_EXAMPLE: "An example value"
+
+The example would set two environment variables on the microservice's container,
+one called "APPLICATION_PASSWORD" with the value set from the "password" key in
+the secret with uid "example-secret", and one called "APPLICATION_EXAMPLE" set to
+the the literal string "An example value".
+*/}}
+{{- define "dcaegen2-services-common._ms-specific-env-vars" -}}
+ {{- $global := . }}
+ {{- if .Values.applicationEnv }}
+ {{- range $envName, $envValue := .Values.applicationEnv }}
+ {{- if kindIs "string" $envValue }}
+- name: {{ $envName }}
+ value: {{ $envValue | quote }}
+ {{- else }}
+ {{ if or (not $envValue.secretUid) (not $envValue.key) }}
+ {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }}
+ {{- end }}
+- name: {{ $envName }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }}
+ {{- end -}}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+{{/*
+For internal use only!
+
+dcaegen2-services-common._externalVolumes:
+This template generates a list of volumes associated with the pod,
+based on information provided in .Values.externalVolumes. This
+template works in conjunction with dcaegen2-services-common._externalVolumeMounts
+to give the microservice access to data in volumes created else.
+This initial implementation supports ConfigMaps only, as this is the only
+external volume mounting required by current microservices.
+
+.Values.externalValues is a list of objects. Each object has 3 required fields and 1 optional field:
+ - name: the name of the resource (in the current implementation, it must be a ConfigMap)
+ that is to be set up as a volume. The value is a case sensitive string. Because the
+ names of resources are sometimes set at deployment time (for instance, to prefix the Helm
+ release to the name), the string can be a Helm template fragment that will be expanded at
+ deployment time.
+ - type: the type of the resource (in the current implementation, only "ConfigMap" is supported).
+ The value is a case-INsensitive string.
+ - mountPoint: the path to the mount point for the volume in the container file system. The
+ value is a case-sensitive string.
+ - readOnly: (Optional) Boolean flag. Set to true to mount the volume as read-only.
+ Defaults to false.
+
+Here is an example fragment from a values.yaml file for a microservice:
+
+externalVolumes:
+ - name: my-example-configmap
+ type: configmap
+ mountPath: /opt/app/config
+ - name: '{{ include "common.release" . }}-another-example'
+ type: configmap
+ mountPath: /opt/app/otherconfig
+*/}}
+{{- define "dcaegen2-services-common._externalVolumes" -}}
+ {{- $global := . -}}
+ {{- if .Values.externalVolumes }}
+ {{- range $vol := .Values.externalVolumes }}
+ {{- if eq (lower $vol.type) "configmap" }}
+ {{- $vname := (tpl $vol.name $global) }}
+- configMap:
+ defaultMode: 420
+ name: {{ $vname }}
+ name: {{ $vname }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{/*
+For internal use only!
+
+dcaegen2-services-common._externalVolumeMounts:
+This template generates a list of volume mounts for the microservice container,
+based on information provided in .Values.externalVolumes. This
+template works in conjunction with dcaegen2-services-common._externalVolumes
+to give the microservice access to data in volumes created else.
+This initial implementation supports ConfigMaps only, as this is the only
+external volume mounting required by current microservices.
+
+See the documentation for dcaegen2-services-common._externalVolumes for
+details on how external volumes are specified in the values.yaml file for
+the microservice.
+*/}}
+{{- define "dcaegen2-services-common._externalVolumeMounts" -}}
+ {{- $global := . -}}
+ {{- if .Values.externalVolumes }}
+ {{- range $vol := .Values.externalVolumes }}
+ {{- if eq (lower $vol.type) "configmap" }}
+ {{- $vname := (tpl $vol.name $global) -}}
+ {{- $readOnly := $vol.readOnly | default false }}
+- mountPath: {{ $vol.mountPath }}
+ name: {{ $vname }}
+ readOnly: {{ $readOnly }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{/*
dcaegen2-services-common.microserviceDeployment:
This template produces a Kubernetes Deployment for a DCAE microservice.
formats. It will also include the AAF CA cert. If the microservice is
a TLS client only (indicated by setting .Values.tlsServer to false), the
certificate information includes only the AAF CA cert.
+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set. The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter
*/}}
{{- define "dcaegen2-services-common.microserviceDeployment" -}}
{{- $logDir := default "" .Values.logDirectory -}}
{{- $certDir := default "" .Values.certDirectory . -}}
{{- $tlsServer := default "" .Values.tlsServer -}}
+{{- $policy := default "" .Values.policies -}}
+
apiVersion: apps/v1
kind: Deployment
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
- mountPath: /opt/app/osaaf
name: tls-info
{{- end }}
+ {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
containers:
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
{{- if $certDir }}
- name: DCAE_CA_CERTPATH
- value: {{ $certDir}}/cacert.pem
+ value: {{ $certDir }}/cacert.pem
{{- end }}
- name: CONSUL_HOST
value: consul-server.onap
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- {{- if .Values.applicationEnv }}
- {{- range $envName, $envValue := .Values.applicationEnv }}
- - name: {{ $envName }}
- value: {{ $envValue | quote }}
- {{- end }}
- {{- end }}
+ {{- include "dcaegen2-services-common._ms-specific-env-vars" . | nindent 8 }}
{{- if .Values.service }}
ports: {{ include "common.containerPorts" . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
resources: {{ include "common.resources" . | nindent 2 }}
- {{- if or $logDir $certDir }}
volumeMounts:
+ - mountPath: /app-config
+ name: app-config
{{- if $logDir }}
- mountPath: {{ $logDir}}
name: component-log
{{- if $certDir }}
- mountPath: {{ $certDir }}
name: tls-info
+ {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+ {{- end -}}
{{- end }}
+ {{- if $policy }}
+ - name: policy-shared
+ mountPath: /etc/policies
{{- end }}
+ {{- include "dcaegen2-services-common._externalVolumeMounts" . | nindent 8 }}
{{- if $logDir }}
- image: {{ include "repositoryGenerator.image.logging" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: filebeat-conf
subPath: filebeat.yml
{{- end }}
+ {{- if $policy }}
+ - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: policy-sync
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: POLICY_SYNC_PDP_USER
+ valueFrom:
+ secretKeyRef:
+ name: onap-policy-xacml-pdp-api-creds
+ key: login
+ - name: POLICY_SYNC_PDP_PASS
+ valueFrom:
+ secretKeyRef:
+ name: onap-policy-xacml-pdp-api-creds
+ key: password
+ - name: POLICY_SYNC_PDP_URL
+ value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
+ - name: POLICY_SYNC_OUTFILE
+ value : "/etc/policies/policies.json"
+ - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+ value : "policy/pdpx/v1/decision"
+ {{- if $policy.filter }}
+ - name: POLICY_SYNC_FILTER
+ value: {{ $policy.filter }}
+ {{- end -}}
+ {{- if $policy.policyID }}
+ - name: POLICY_SYNC_ID
+ value: {{ $policy.policyID }}
+ {{- end -}}
+ {{- if $policy.duration }}
+ - name: POLICY_SYNC_DURATION
+ value: {{ $policy.duration }}
+ {{- end }}
+ resources: {{ include "common.resources" . | nindent 2 }}
+ volumeMounts:
+ - mountPath: /etc/policies
+ name: policy-shared
+ {{- if $certDir }}
+ - mountPath: /opt/ca-certificates/
+ name: tls-info
+ {{- end }}
+ {{- end }}
hostname: {{ include "common.name" . }}
volumes:
- configMap:
{{- if $certDir }}
- emptyDir: {}
name: tls-info
+ {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- if $policy }}
+ - name: policy-shared
+ emptyDir: {}
{{- end }}
+ {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end -}}
+
+{{/*
+ For internal use
+
+ Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+ and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+ {{- $certDir := default "" .Values.certDirectory . -}}
+ {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+ {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+ {{- $certType := "pem" -}}
+ {{- if $cmpv2Certificate.keystore -}}
+ {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+ {{- end -}}
+ {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+ {{- $truststoresPasswordPaths := ":" -}}
+ {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+ {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+ {{- if not (eq $certType "pem") -}}
+ {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+ {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+ {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+ {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+ {{- end }}
+ - name: cert-post-processor
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+ {{- include "common.resources" . | nindent 4 }}
+ volumeMounts:
+ - mountPath: {{ $certDir }}
+ name: tls-info
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+ env:
+ - name: TRUSTSTORES_PATHS
+ value: {{ $truststoresPaths | quote}}
+ - name: TRUSTSTORES_PASSWORDS_PATHS
+ value: {{ $truststoresPasswordPaths | quote }}
+ - name: KEYSTORE_SOURCE_PATHS
+ value: {{ $keystoreSourcePaths | quote }}
+ - name: KEYSTORE_DESTINATION_PATHS
+ value: {{ $keystoreDestinationPaths | quote }}
+ {{- end }}
+{{- end -}}
# limitations under the License.
# ============LICENSE_END=========================================================
# dcaegen2-services-common templates get any values from the scope
-# they are passed. There are no locally-defined values.
\ No newline at end of file
+# they are passed. There are no locally-defined values.
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.6.0
+image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.8.0
pullPolicy: Always
# log directory where logging sidecar should look for log files
password: '{{ .Values.aafCreds.password }}'
passwordPolicy: required
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /etc/ves-hv/ssl/external
+ commonName: dcae-hv-ves-collector
+ dnsNames:
+ - dcae-hv-ves-collector
+ - hv-ves-collector
+ - hv-ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: hv-ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks
security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass
streams_publishes:
+ ves-3gpp-fault-supervision:
+ type: kafka
+ aaf_credentials:
+ username: ${AAF_USER}
+ password: ${AAF_PASSWORD}
+ kafka_info:
+ bootstrap_servers: message-router-kafka:9092
+ topic_name: SEC_3GPP_FAULTSUPERVISION_OUTPUT
+ ves-3gpp-provisioning:
+ type: kafka
+ aaf_credentials:
+ username: ${AAF_USER}
+ password: ${AAF_PASSWORD}
+ kafka_info:
+ bootstrap_servers: message-router-kafka:9092
+ topic_name: SEC_3GPP_PROVISIONING_OUTPUT
+ ves-3gpp-heartbeat:
+ type: kafka
+ aaf_credentials:
+ username: ${AAF_USER}
+ password: ${AAF_PASSWORD}
+ kafka_info:
+ bootstrap_servers: message-router-kafka:9092
+ topic_name: SEC_3GPP_HEARTBEAT_OUTPUT
+ ves-3gpp-performance-assurance:
+ type: kafka
+ aaf_credentials:
+ username: ${AAF_USER}
+ password: ${AAF_PASSWORD}
+ kafka_info:
+ bootstrap_servers: message-router-kafka:9092
+ topic_name: SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT
perf3gpp:
type: kafka
aaf_credentials:
--- /dev/null
+# ================================ LICENSE_START =============================
+# ============================================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ============================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ================================= LICENSE_END ==============================
+
+apiVersion: v1
+appVersion: "Honolulu"
+description: A Helm chart for DCAE PMSH
+name: dcae-pmsh
+version: 8.0.0
\ No newline at end of file
--- /dev/null
+# ================================ LICENSE_START =============================
+# ============================================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ============================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ================================= LICENSE_END ==============================
+
+dependencies:
+ - name: common
+ version: ~8.x-0
+ repository: '@local'
+ - name: postgres
+ version: ~8.x-0
+ repository: '@local'
+ - name: readinessCheck
+ version: ~8.x-0
+ repository: '@local'
+ - name: repositoryGenerator
+ version: ~8.x-0
+ repository: '@local'
+ - name: dcaegen2-services-common
+ version: ~8.x-0
+ repository: 'file://../../common/dcaegen2-services-common'
\ No newline at end of file
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{ include "dcaegen2-services-common.configMap" . }}
\ No newline at end of file
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{ include "dcaegen2-services-common.microserviceDeployment" . }}
\ No newline at end of file
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{ include "common.secretFast" . }}
\ No newline at end of file
--- /dev/null
+{{/*
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{ include "common.service" . }}
\ No newline at end of file
--- /dev/null
+# ================================ LICENSE_START =============================
+# ============================================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ============================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ================================= LICENSE_END ==============================
+
+#################################################################
+# Global Configuration Defaults.
+#################################################################
+global:
+ nodePortPrefix: 302
+ nodePortPrefixExt: 304
+
+#################################################################
+# Filebeat Configuration Defaults.
+#################################################################
+filebeatConfig:
+ logstashServiceName: log-ls
+ logstashPort: 5044
+
+#################################################################
+# Secrets Configuration.
+#################################################################
+secrets:
+ - uid: &aafCredsUID aafcreds
+ type: basicAuth
+ login: '{{ .Values.aafCreds.identity }}'
+ password: '{{ .Values.aafCreds.password }}'
+ passwordPolicy: required
+ - uid: &pgUserCredsSecretUid pg-user-creds
+ name: &pgUserCredsSecretName '{{ include "common.release" . }}-pmsh-pg-user-creds'
+ type: basicAuth
+ externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "pmsh-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}'
+ login: '{{ .Values.postgres.config.pgUserName }}'
+ password: '{{ .Values.postgres.config.pgUserPassword }}'
+ passwordPolicy: generate
+
+#################################################################
+# InitContainer Images.
+#################################################################
+tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+
+#################################################################
+# Application Configuration Defaults.
+#################################################################
+# Application Image
+image: onap/org.onap.dcaegen2.services.pmsh:1.3.1
+pullPolicy: Always
+
+# Log directory where logging sidecar should look for log files
+# if absent, no sidecar will be deployed
+logDirectory: /var/log/ONAP/dcaegen2/services/pmsh
+
+# Directory where TLS certs should be stored
+# if absent, no certs will be retrieved and stored
+certDirectory: /opt/app/pmsh/etc/certs
+
+# TLS role -- set to true if microservice acts as server
+# If true, an init container will retrieve a server cert
+# and key from AAF and mount them in certDirectory.
+tlsServer: true
+
+# Dependencies
+readinessCheck:
+ wait_for:
+ - dcae-config-binding-service
+ - aaf-cm
+ - &postgresName dcae-pmsh-postgres
+
+# Probe Configuration
+readiness:
+ initialDelaySeconds: 10
+ periodSeconds: 15
+ timeoutSeconds: 1
+ path: /healthcheck
+ scheme: HTTPS
+ port: 8443
+
+# Service Configuration
+service:
+ type: ClusterIP
+ name: dcae-pmsh
+ ports:
+ - name: https
+ port: 8443
+ port_protocol: http
+
+# AAF Credentials
+aafCreds:
+ identity: dcae@dcae.onap.org
+ password: demo123456!
+
+credentials:
+- name: AAF_IDENTITY
+ uid: *aafCredsUID
+ key: login
+- name: AAF_PASSWORD
+ uid: *aafCredsUID
+ key: password
+
+# Initial Application Configuration
+applicationConfig:
+ enable_tls: true
+ aaf_identity: ${AAF_IDENTITY}
+ aaf_password: ${AAF_PASSWORD}
+ key_path: /opt/app/pmsh/etc/certs/key.pem
+ cert_path: /opt/app/pmsh/etc/certs/cert.pem
+ ca_cert_path: /opt/app/pmsh/etc/certs/cacert.pem
+ control_loop_name: pmsh-control-loop
+ operational_policy_name: pmsh-operational-policy
+ pmsh_policy:
+ subscription:
+ subscriptionName: ExtraPM-All-gNB-R2B
+ administrativeState: LOCKED
+ fileBasedGP: 15
+ fileLocation: "/pm/pm.xml"
+ nfFilter: { "nfNames": [ "^pnf.*","^vnf.*" ],"modelInvariantIDs": [ ],"modelVersionIDs": [ ],"modelNames": [ ] }
+ measurementGroups: [ { "measurementGroup": { "measurementTypes": [ { "measurementType": "countera" },{ "measurementType": "counterb" } ],"managedObjectDNsBasic": [ { "DN": "dna" },{ "DN": "dnb" } ] } },{ "measurementGroup": { "measurementTypes": [ { "measurementType": "counterc" },{ "measurementType": "counterd" } ],"managedObjectDNsBasic": [ { "DN": "dnc" },{ "DN": "dnd" } ] } } ]
+ streams_publishes:
+ policy_pm_publisher:
+ type: message_router
+ dmaap_info:
+ topic_url: "https://message-router:3905/events/unauthenticated.DCAE_CL_OUTPUT"
+ streams_subscribes:
+ policy_pm_subscriber:
+ type: message_router
+ dmaap_info:
+ topic_url: "https://message-router:3905/events/unauthenticated.PMSH_CL_INPUT"
+ aai_subscriber:
+ type: message_router
+ dmaap_info:
+ topic_url: "https://message-router:3905/events/AAI-EVENT"
+
+applicationEnv:
+ PMSH_PG_URL: &dcaePmshPgPrimary dcae-pmsh-pg-primary
+ PMSH_PG_USERNAME:
+ secretUid: *pgUserCredsSecretUid
+ key: login
+ PMSH_PG_PASSWORD:
+ secretUid: *pgUserCredsSecretUid
+ key: password
+
+# Resource Limit Flavor -By Default Using Small
+flavor: small
+
+# Segregation for Different Environment (Small and Large)
+resources:
+ small:
+ limits:
+ cpu: 1
+ memory: 1Gi
+ requests:
+ cpu: 1
+ memory: 1Gi
+ large:
+ limits:
+ cpu: 2
+ memory: 2Gi
+ requests:
+ cpu: 2
+ memory: 2Gi
+ unlimited: {}
+
+#################################################################
+# Application configuration Overriding Defaults in the Postgres.
+#################################################################
+postgres:
+ nameOverride: *postgresName
+ service:
+ name: *postgresName
+ name2: *dcaePmshPgPrimary
+ name3: dcae-pmsh-pg-replica
+ container:
+ name:
+ primary: dcae-pmsh-pg-primary
+ replica: dcae-pmsh-pg-replica
+ persistence:
+ mountSubPath: pmsh/data
+ mountInitPath: pmsh
+ config:
+ pgUserName: pmsh
+ pgDatabase: pmsh
+ pgUserExternalSecret: *pgUserCredsSecretName
\ No newline at end of file
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+
#################################################################
# Application configuration defaults.
#################################################################
- port: 9091
name: http
+# Policy configuraiton properties
+# if present, policy-sync side car will be deployed
+
+#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
+#policies:
+# duration: 300
+# policyID: |
+# '["onap.vfirewall.tca","abc"]'
+# filter: |
+# '["DCAE.Config_vfirewall_.*"]'
+
aaiCreds:
user: DCAE
password: DCAE
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
# and key from AAF and mount them in certDirectory.
tlsServer: true
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /opt/app/dcae-certificate/external
+ commonName: dcae-ves-collector
+ dnsNames:
+ - dcae-ves-collector
+ - ves-collector
+ - ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
version: ~8.x-0
repository: 'file://components/dcae-ms-healthcheck'
condition: dcae-ms-healthcheck.enabled
+ - name: dcae-pmsh
+ version: ~8.x-0
+ repository: 'file://components/dcae-pmsh'
+ condition: dcae-pmsh.enabled
- name: dcae-prh
version: ~8.x-0
repository: 'file://components/dcae-prh'
enabled: true
dcae-hv-ves-collector:
enabled: true
+dcae-pmsh:
+ enabled: false
dcae-prh:
enabled: true
dcae-tcagen2:
tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.2.1
ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.9.2
prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.5.6
- hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.6.0
+ hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.8.0
# Resource Limit flavor -By Default using small
flavor: small
"image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}",
"request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}",
"timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}",
- "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}",
- "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}",
- "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}",
- "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}",
- "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}",
- "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}",
- "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}",
- "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}"
+ "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}",
+ "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}",
+ "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}",
+ "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}",
+ "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}",
+ "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}",
+ "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}",
+ "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}",
+ "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}",
+ "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}",
+ "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}",
+ "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}"
},
"cert_post_processor": {
"image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}"
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0
pullPolicy: Always
# name of shared ConfigMap with kubeconfig for multiple clusters
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.0
+image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.3
pullPolicy: Always
# probe configuration parameters
enabled: false
readiness:
- initialDelaySeconds: 30
- periodSeconds: 30
+ initialDelaySeconds: 300
+ periodSeconds: 90
path: /ccsdk-app/health
scheme: HTTPS
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/kafka111:1.0.4
+image: onap/dmaap/kafka111:1.0.5
pullPolicy: Always
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/dmaap-mr:1.1.18
+image: onap/dmaap/dmaap-mr:1.1.20
pullPolicy: Always
kafka:
usage() {
cat << EOF
-Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases
+Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases
The umbrella Helm Chart is broken apart into a parent release and subchart releases.
Subcharts the are disabled (<chart>.enabled=false) will not be installed or upgraded.
for index in "${!SUBCHART_NAMES[@]}"; do
START=${SUBCHART_NAMES[index]}
END=${SUBCHART_NAMES[index+1]}
- if [[ $START == "global:" ]]; then
+ if [[ $START = "global:" ]]; then
echo "global:" > $GLOBAL_OVERRIDES
cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \
| sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES
else
- SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")"
+ SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)"
if [[ -d "$SUBCHART_DIR" ]]; then
if [[ -z "$END" ]]; then
cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \
resolve_deploy_flags() {
flags=($1)
n=${#flags[*]}
- for (( i = 0; i < n; i++ )); do
+ i=0 ; while [ "$i" -lt "$n" ]; do
PARAM=${flags[i]}
- if [[ $PARAM == "-f" || \
- $PARAM == "--values" || \
- $PARAM == "--set" || \
- $PARAM == "--set-string" || \
- $PARAM == "--version" ]]; then
+ if [[ $PARAM = "-f" || \
+ $PARAM = "--values" || \
+ $PARAM = "--set" || \
+ $PARAM = "--set-string" || \
+ $PARAM = "--version" ]]; then
# skip param and its value
i=$((i + 1))
else
DEPLOY_FLAGS="$DEPLOY_FLAGS $PARAM"
fi
+ i=$((i+1))
done
echo "$DEPLOY_FLAGS"
}
RELEASE=$1
CHART_URL=$2
FLAGS=${@:3}
- CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")"
- CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")"
- if [[ $HELM_VER == "v3."* ]]; then
+ CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)"
+ CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)"
+ if [[ $HELM_VER = "v3."* ]]; then
CACHE_DIR=~/.local/share/helm/plugins/deploy/cache
else
CACHE_DIR=~/.helm/plugins/deploy/cache
DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS")
# determine if upgrading individual subchart or entire parent + subcharts
- SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")"
+ SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)"
# update specified subchart without parent
- RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")"
- if [[ $SUBCHART_RELEASE == $RELEASE ]]; then
+ RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)"
+ if [[ $SUBCHART_RELEASE = $RELEASE ]]; then
SUBCHART_RELEASE=
fi
helm upgrade -i $RELEASE $CHART_DIR $DEPLOY_FLAGS -f $COMPUTED_OVERRIDES \
> $LOG_FILE.log 2>&1
- if [[ $VERBOSE == "true" ]]; then
+ if [[ $VERBOSE = "true" ]]; then
cat $LOG_FILE
else
echo "release \"$RELEASE\" deployed"
fi
# Add annotation last-applied-configuration if set-last-applied flag is set
- if [[ $SET_LAST_APPLIED == "true" ]]; then
+ if [[ $SET_LAST_APPLIED = "true" ]]; then
helm get manifest ${RELEASE} \
| kubectl apply set-last-applied --create-annotation -n onap -f - \
> $LOG_FILE.log 2>&1
fi
if [[ $SUBCHART_ENABLED -eq 1 ]]; then
- if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE == "$subchart" ]]; then
+ if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE = "$subchart" ]]; then
LOG_FILE=$LOG_DIR/"${RELEASE}-${subchart}".log
:> $LOG_FILE
$DEPLOY_FLAGS -f $GLOBAL_OVERRIDES -f $SUBCHART_OVERRIDES \
> $LOG_FILE 2>&1
- if [[ $VERBOSE == "true" ]]; then
+ if [[ $VERBOSE = "true" ]]; then
cat $LOG_FILE
else
echo "release \"${RELEASE}-${subchart}\" deployed"
fi
# Add annotation last-applied-configuration if set-last-applied flag is set
- if [[ $SET_LAST_APPLIED == "true" ]]; then
+ if [[ $SET_LAST_APPLIED = "true" ]]; then
helm get manifest "${RELEASE}-${subchart}" \
| kubectl apply set-last-applied --create-annotation -n onap -f - \
> $LOG_FILE.log 2>&1
fi
fi
- if [[ $DELAY == "true" ]]; then
+ if [[ $DELAY = "true" ]]; then
echo sleep 3m
sleep 3m
fi
else
array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}"))
n=${#array[*]}
- for (( i = n-1; i >= 0; i-- )); do
- if [[ $HELM_VER == "v3."* ]]; then
- helm del "${array[i]}"
+ for i in $(seq $(($n-1)) -1 0); do
+ if [[ $HELM_VER = "v3."* ]]; then
+ helm del "${array[i]}"
else
helm del "${array[i]}" --purge
fi
done
# report on success/failures of installs/upgrades
- if [[ $HELM_VER == "v3."* ]]; then
+ if [[ $HELM_VER = "v3."* ]]; then
helm ls --all-namespaces | grep -i FAILED | grep $RELEASE
else
helm ls | grep FAILED | grep $RELEASE
usage() {
cat << EOF
-Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'.
+Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'.
Example of deleting all Releases that have the prefix 'demo'.
$ helm undeploy demo
array=($(helm ls -q --all | grep $RELEASE))
n=${#array[*]}
- for (( i = n-1; i >= 0; i-- ))
+ for i in $(seq $(($n-1)) -1 0)
do
helm del "${array[i]}" $FLAGS
done
# Application configuration defaults.
#################################################################
# application image
-image: onap/holmes/engine-management:1.3.2
+image: onap/holmes/engine-management:1.3.3
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0
#################################################################
keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \
-storepass "${cadi_truststore_password}" \
-keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** set key password as same password as keystore password"
- keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
- -keystore {{ .Values.fqi_namespace }}.p12 \
- -keypass "${cadi_keystore_password_p12}" \
- -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
echo "*** save the generated passwords"
echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop
# Application configuration defaults.
#################################################################
# application image
-image: onap/holmes/rule-management:1.3.2
+image: onap/holmes/rule-management:1.3.3
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0
#################################################################
keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \
-storepass "${cadi_truststore_password}" \
-keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** set key password as same password as keystore password"
- keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
- -keystore {{ .Values.fqi_namespace }}.p12 \
- -keypass "${cadi_keystore_password_p12}" \
- -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
echo "*** save the generated passwords"
echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
# Application configuration defaults.
#################################################################
# application image
-image: onap/multicloud/k8s:0.8.0
+image: onap/multicloud/k8s:0.8.2
pullPolicy: Always
# flag to enable debugging - application support required
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
aafConfig:
permission_user: 1000
version: ~8.x-0
repository: '@local'
condition: cert-wrapper.enabled
+ - name: roles-wrapper
+ version: ~8.x-0
+ repository: '@local'
+ condition: roles-wrapper.enabled
cmpv2Enabled: true
CMPv2CertManagerIntegration: false
platform:
+ certificates:
+ clientSecretName: oom-cert-service-client-tls-secret
+ keystoreKeyRef: keystore.jks
+ truststoreKeyRef: truststore.jks
+ keystorePasswordSecretName: oom-cert-service-certificates-password
+ keystorePasswordSecretKey: password
+ truststorePasswordSecretName: oom-cert-service-certificates-password
+ truststorePasswordSecretKey: password
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
- secret:
- name: oom-cert-service-client-tls-secret
- mountPath: /etc/onap/oom/certservice/certs/
+ certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
envVariables:
certPath: "/var/custom-certs"
# Certificate related
- cmpv2Organization: "Linux-Foundation"
- cmpv2OrganizationalUnit: "ONAP"
- cmpv2Location: "San-Francisco"
- cmpv2State: "California"
- cmpv2Country: "US"
- # Client configuration related
caName: "RA"
+ # Client configuration related
requestURL: "https://oom-cert-service:8443/v1/certificate/"
requestTimeout: "30000"
- keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
outputType: "P12"
- keystorePassword: "secret"
- truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
- truststorePassword: "secret"
# Indicates offline deployment build
# Set to true if you are rendering helm charts for offline deployment
enabled: true
repository-wrapper:
enabled: true
+roles-wrapper:
+ enabled: true
enabled: true
# application image
-image: onap/optf-cmso-optimizer:2.3.3
+image: onap/optf-cmso-optimizer:2.3.4
pullPolicy: Always
#init container image
dbinit:
- image: onap/optf-cmso-dbinit:2.3.3
+ image: onap/optf-cmso-dbinit:2.3.4
# flag to enable debugging - application support required
debugEnabled: false
- mountPath: /usr/share/filebeat/data
name: {{ include "common.fullname" . }}-filebeat
resources:
-{{ include "common.resources" . }}
- - name: mso-simulator
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.robotimage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- volumeMounts:
- - name: {{ include "common.fullname" . }}-config
- mountPath: /share/etc/config
- ports:
- - containerPort: 5000
- resources:
{{ include "common.resources" . }}
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
enabled: true
# application image
-image: onap/optf-cmso-service:2.3.3
-robotimage: onap/optf-cmso-robot:2.3.3
+image: onap/optf-cmso-service:2.3.4
pullPolicy: Always
#init container image
dbinit:
- image: onap/optf-cmso-dbinit:2.3.3
+ image: onap/optf-cmso-dbinit:2.3.4
# flag to enable debugging - application support required
debugEnabled: false
enabled: true
# application image
-image: onap/optf-cmso-ticketmgt:2.3.3
+image: onap/optf-cmso-ticketmgt:2.3.4
pullPolicy: Always
enabled: true
# application image
-image: onap/optf-cmso-topology:2.3.3
+image: onap/optf-cmso-topology:2.3.4
pullPolicy: Always
+#!/bin/bash
+
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T,VMware
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
*/}}
-#!/bin/bash
+
{{/*
# Controller is a process that reads from Music Q
# It uses no ports (TCP or HTTP). The PROB will check
certEndpoint: v1/certificate
caName: RA
certSecretRef:
- name: cmpv2-issuer-secret
- certRef: certServiceServer-cert.pem
- keyRef: certServiceServer-key.pem
- cacertRef: truststore.pem
+ name: oom-cert-service-client-tls-secret
+ certRef: tls.crt
+ keyRef: tls.key
+ cacertRef: ca.crt
+++ /dev/null
-CERTS_DIR = resources
-CURRENT_DIR := ${CURDIR}
-DOCKER_CONTAINER = generate-certs
-DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
-
-all: start_docker \
- clear_all \
- root_generate_keys \
- root_create_certificate \
- root_self_sign_certificate \
- client_generate_keys \
- client_generate_csr \
- client_sign_certificate_by_root \
- client_import_root_certificate \
- client_convert_certificate_to_jks \
- server_generate_keys \
- server_generate_csr \
- server_sign_certificate_by_root \
- server_import_root_certificate \
- server_convert_certificate_to_jks \
- server_convert_certificate_to_p12 \
- convert_truststore_to_p12 \
- convert_truststore_to_pem \
- server_export_certificate_to_pem \
- server_export_key_to_pem \
- clear_unused_files \
- stop_docker
-
-.PHONY: all
-
-# Starts docker container for generating certificates - deletes first, if already running
-start_docker:
- @make stop_docker
- $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
- $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
- $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
- $(eval USERNAME :=$(shell id -u))
- $(eval GROUP :=$(shell id -g))
- docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
-
-# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
-stop_docker:
- docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
-
-#Clear all files related to certificates
-clear_all:
- @make clear_existing_certificates
- @make clear_unused_files
-
-#Clear certificates
-clear_existing_certificates:
- @echo "Clear certificates"
- ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
- @echo "#####done#####"
-
-#Generate root private and public keys
-root_generate_keys:
- @echo "Generate root private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
- -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
- -storepass secret -ext BasicConstraints:critical="ca:true"
- @echo "#####done#####"
-
-#Export public key as certificate
-root_create_certificate:
- @echo "(Export public key as certificate)"
- ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
- @echo "#####done#####"
-
-#Self-signed root (import root certificate into truststore)
-root_self_sign_certificate:
- @echo "(Self-signed root (import root certificate into truststore))"
- ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
- @echo "#####done#####"
-
-#Generate certService's client private and public keys
-client_generate_keys:
- @echo "Generate certService's client private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
- -keystore certServiceClient-keystore.jks -storetype JKS \
- -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
- -keypass secret -storepass secret
- @echo "####done####"
-
-#Generate certificate signing request for certService's client
-client_generate_csr:
- @echo "Generate certificate signing request for certService's client"
- ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
- @echo "####done####"
-
-#Sign certService's client certificate by root CA
-client_sign_certificate_by_root:
- @echo "Sign certService's client certificate by root CA"
- ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
- -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
- @echo "####done####"
-
-#Import root certificate into client
-client_import_root_certificate:
- @echo "Import root certificate into intermediate"
- ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
- @echo "####done####"
-
-#Import signed certificate into certService's client
-client_convert_certificate_to_jks:
- @echo "Import signed certificate into certService's client"
- ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
- @echo "####done####"
-
-#Generate certService private and public keys
-server_generate_keys:
- @echo "Generate certService private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
- -keystore certServiceServer-keystore.jks -storetype JKS \
- -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
- -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
- @echo "####done####"
-
-#Generate certificate signing request for certService
-server_generate_csr:
- @echo "Generate certificate signing request for certService"
- ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
- @echo "####done####"
-
-#Sign certService certificate by root CA
-server_sign_certificate_by_root:
- @echo "Sign certService certificate by root CA"
- ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
- -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
- -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
- @echo "####done####"
-
-#Import root certificate into server
-server_import_root_certificate:
- @echo "Import root certificate into intermediate(server)"
- ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
- @echo "####done####"
-
-#Import signed certificate into certService
-server_convert_certificate_to_jks:
- @echo "Import signed certificate into certService"
- ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
- -storepass secret -noprompt
- @echo "####done####"
-
-#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
-server_convert_certificate_to_p12:
- @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
- ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
- -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
- @echo "#####done#####"
-
-#Convert truststore(.jks) to PCKS12 format(.p12)
-convert_truststore_to_p12:
- @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
- ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
- -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
- @echo "#####done#####"
-
-#Convert truststore(.p12) to PEM format(.pem)
-convert_truststore_to_pem:
- @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
- @echo "#####done#####"
-
-#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_certificate_to_pem:
- @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
- @echo "#####done#####"
-
-#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_key_to_pem:
- @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
- @echo "#####done#####"
-
-
-#Clear unused certificates
-clear_unused_files:
- @echo "Clear unused certificates"
- ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12
- @echo "#####done#####"
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: '@local'
\ No newline at end of file
--- /dev/null
+{{/*
+# Copyright © 2020-2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "certManagerCertificate.certificate" . }}
- name: ROOT_CERT
value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
- name: KEYSTORE_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
- name: TRUSTSTORE_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
livenessProbe:
exec:
command:
+++ /dev/null
-{{/*
- # Copyright © 2020, Nokia
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-*/}}
-
-{{- if .Values.global.offlineDeploymentBuild }}
-apiVersion: apps/v1
-kind: Deployment
-metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
-spec:
- replicas: {{ .Values.replicaCount }}
- selector: {{- include "common.selectors" . | nindent 4 }}
- template:
- metadata: {{- include "common.templateMetadata" . | nindent 6 }}
- spec:
- containers:
- - name: {{ include "common.name" . }}
- image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-{{ end -}}
--- /dev/null
+{{/*
+ # Copyright © 2021, Nokia
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+*/}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.selfsigning.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ca.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ ca:
+ secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file
{{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }}
{{ end }}
---
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }}
-type: Opaque
-data:
- certServiceClient-keystore.jks:
- {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
- truststore.jks:
- {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.tls.server.secret.name }}
-type: Opaque
-data:
- certServiceServer-keystore.jks:
- {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
- certServiceServer-keystore.p12:
- {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
- truststore.jks:
- {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
- root.crt:
- {{ (.Files.Glob "resources/root.crt").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.tls.provider.secret.name }}
-type: Opaque
-data:
- certServiceServer-key.pem:
- {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
- certServiceServer-cert.pem:
- {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
- truststore.pem:
- {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+
{{ end -}}
# Standard OOM
pullPolicy: "Always"
repository: "nexus3.onap.org:10001"
- offlineDeploymentBuild: false
# Service configuration
port: 8443
port_protocol: http
-# Certificates generation configuration
-certificateGenerationImage: onap/integration-java11:7.2.0
-
# Deployment configuration
repository: "nexus3.onap.org:10001"
image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
mountPath: /etc/onap/oom/certservice
tls:
+ issuer:
+ selfsigning:
+ name: &selfSigningIssuer cmpv2-selfsigning-issuer
+ ca:
+ name: &caIssuer cmpv2-ca-issuer
+ secret:
+ name: &caKeyPairSecret cmpv2-ca-key-pair
server:
secret:
- name: oom-cert-service-server-tls-secret
+ name: &serverSecret oom-cert-service-server-tls-secret
volume:
name: oom-cert-service-server-tls-volume
mountPath: /etc/onap/oom/certservice/certs/
client:
secret:
defaultName: oom-cert-service-client-tls-secret
- provider:
- secret:
- name: cmpv2-issuer-secret
envs:
keystore:
- jksName: certServiceServer-keystore.jks
- p12Name: certServiceServer-keystore.p12
- pemName: certServiceServer-keystore.pem
+ jksName: keystore.jks
+ p12Name: keystore.p12
+ pemName: tls.crt
truststore:
jksName: truststore.jks
- crtName: root.crt
- pemName: truststore.pem
+ crtName: ca.crt
+ pemName: tls.crt
httpsPort: 8443
# External secrets with credentials can be provided to override default credentials defined below,
# by uncommenting and filling appropriate *ExternalSecret value
credentials:
tls:
- keystorePassword: secret
- truststorePassword: secret
- #keystorePasswordExternalSecret:
- #truststorePasswordExternalSecret:
+ certificatesPassword: secret
+ #certificatesPasswordExternalSecret:
# Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
cmp:
# Used only if cmpv2 testing is enabled
# rv: unused
secrets:
- - uid: keystore-password
- name: '{{ include "common.release" . }}-keystore-password'
+ - uid: certificates-password
+ name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
type: password
- externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
- password: '{{ .Values.credentials.tls.keystorePassword }}'
- passwordPolicy: required
- - uid: truststore-password
- name: '{{ include "common.release" . }}-truststore-password'
- type: password
- externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
- password: '{{ .Values.credentials.tls.truststorePassword }}'
+ externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
+ password: '{{ .Values.credentials.tls.certificatesPassword }}'
passwordPolicy: required
# Below values are relevant only if global addTestingComponents flag is enabled
- uid: ejbca-server-client-iak
type: password
externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
password: '{{ .Values.credentials.cmp.ra.rv }}'
+
+# Certificates definitions
+certificates:
+ - name: selfsigned-cert
+ secretName: *caKeyPairSecret
+ isCA: true
+ commonName: root.com
+ subject:
+ organization: Root Company
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: Root Org
+ issuer:
+ name: *selfSigningIssuer
+ kind: Issuer
+ - name: cert-service-server-cert
+ secretName: *serverSecret
+ commonName: oom-cert-service
+ dnsNames:
+ - oom-cert-service
+ - localhost
+ subject:
+ organization: certServiceServer org
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: certServiceServer company
+ usages:
+ - server auth
+ - client auth
+ keystore:
+ outputType:
+ - jks
+ - p12
+ passwordSecretRef:
+ name: *certificatesPasswordSecretName
+ key: password
+ issuer:
+ name: *caIssuer
+ kind: Issuer
+ - name: cert-service-client-cert
+ secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
+ commonName: certServiceClient.com
+ subject:
+ organization: certServiceClient org
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: certServiceClient company
+ usages:
+ - server auth
+ - client auth
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: *certificatesPasswordSecretName
+ key: password
+ issuer:
+ name: *caIssuer
+ kind: Issuer
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
<appender-ref ref="AsyncStdOut" />
</root>
-</configuration>
\ No newline at end of file
+</configuration>
uid: 101
gid: 102
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements
#The log folder that will be used in logback.xml file
-clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json
+clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json
#
# Configuration Settings for Policy Engine Components
-clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969
+clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969
clamp.config.policy.api.userName=healthcheck
clamp.config.policy.api.password=zb!XztG34
-clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969
+clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969
clamp.config.policy.pap.userName=healthcheck
clamp.config.policy.pap.password=zb!XztG34
#DCAE Inventory Url Properties
-clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080
-clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080
+clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
#DCAE Deployment Url Properties
-clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
clamp.config.dcae.deployment.userName=none
clamp.config.dcae.deployment.password=none
# limitations under the License.
*/}}
-mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
+mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
"consumerId": "clamp",
"environmentName": "AUTO",
"sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443",
- "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
+ "password": "${SDC_CLIENT_PASSWORD_ENC}",
"pollingInterval":30,
"pollingTimeout":30,
"activateServerTLSAuth":"false",
- |
{{- if .Values.global.aafEnabled }}
export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0)
+ export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`;
+ envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json"
{{- end }}
java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar
ports:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }}
- name: MYSQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }}
+ - name: SDC_CLIENT_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }}
{{- if ne "unlimited" (include "common.flavor" .) }}
- name: JAVA_RAM_CONFIGURATION
value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75
credsPath: /opt/app/osaaf/local
aaf_add_config: >
/opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd;
cd {{ .Values.credsPath }};
chmod a+rx *;
login: '{{ .Values.db.user }}'
password: '{{ .Values.db.password }}'
passwordPolicy: required
+ - uid: sdc-creds
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}'
+ password: '{{ .Values.sdc.clientPassword }}'
+ passwordPolicy: required
flavor: small
# application image
-image: onap/policy-clamp-backend:6.0.2
+image: onap/policy-clamp-backend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
#####dummy values for db user and password to pass lint!!!#######
+sdc:
+ clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+
db:
user: policy_user
password: policy_user
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0);
cd {{ .Values.credsPath }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }};
flavor: small
# application image
-image: onap/policy-clamp-frontend:6.0.2
+image: onap/policy-clamp-frontend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
<appender-ref ref="AsyncStdOut" />
</root>
-</configuration>
\ No newline at end of file
+</configuration>
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
<appender-ref ref="AsyncTransactionStdOut" />
</root>
-</configuration>
\ No newline at end of file
+</configuration>
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci;
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
<!--
============LICENSE_START=======================================================
Copyright (C) 2020 Bell Canada. All rights reserved.
+ Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
+ <Pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</Pattern>
</encoder>
</appender>
<appender-ref ref="AsyncStdOut" />
</root>
-</configuration>
\ No newline at end of file
+</configuration>
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
-Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}"
-Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}"
{{- else }}
- args: ["/start-apache-tomcat.sh -i "" -n "" -b {{ .Values.global.env.tomcatDir }}"]
+ args: ["/start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"]
{{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# default number of instances
replicaCount: 1
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
- if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+ if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then
break
fi
sleep 1
# Creates a custom database and user if specified
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Creating database ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+ echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql
fi
if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
mysql_note "Creating user ${MYSQL_USER}"
- docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
+ echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
+ echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql
fi
- docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
+ echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql
fi
}
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# flag to enable debugging - application support required
debugEnabled: false
+#!/bin/sh -x
+
# Copyright © 2018 Amdocs, Bell Canada, AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/sh -x
SQL_DEST_DIR=${SQL_DEST_DIR:-/tmp/sql}
DB_PORT=${DB_PORT:-3306}
#
# Execute tags built to support the hands-on demo
#
-function usage
+usage ()
{
echo "Usage: demo-k8s.sh <namespace> <command> [<parameters>] [execscript]"
echo " "
# Check if execscript flag is used and drop it from input arguments
-if [[ "${!#}" == "execscript" ]]; then
+if [[ "${!#}" = "execscript" ]]; then
set -- "${@:1:$#-1}"
execscript=true
fi
+#!/bin/bash
+
# Copyright © 2018 Amdocs, Bell Canada
#
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/bash
-
#
# Run the testsuite for the passed tag. Valid tags are listed in usage help
# Please clean up logs when you are done...
#
-if [ "$1" == "" ] || [ "$2" == "" ]; then
+if [ "$1" = "" ] || [ "$2" = "" ]; then
echo "Usage: ete-k8s.sh [namespace] [tag] [execscript]"
echo ""
echo " List of test case tags (filename for intent: tag)"
ETEHOME=/var/opt/ONAP
-if [[ "${!#}" == "execscript" ]]; then
+if [[ "${!#}" = "execscript" ]]; then
for script in $(ls -1 "$DIR/$SCRIPTDIR"); do
[ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script"
done
+#!/bin/bash
+
# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/bash
-
#
# Run the health-check testsuites for the tags discovered by helm list
# Please clean up logs when you are done...
#
-if [ "$1" == "" ] ; then
+if [ "$1" = "" ] ; then
echo "Usage: eteHelm-k8s.sh [namespace] [execscript]"
echo " list projects via helm list and runs health-check with those tags except dev and dev-consul"
echo " [execscript] - optional parameter to execute user custom scripts located in scripts/helmscript directory"
ETEHOME=/var/opt/ONAP
-if [[ "${!#}" == "execscript" ]]; then
+if [[ "${!#}" = "execscript" ]]; then
for script in $(ls -1 "$DIR/$SCRIPTDIR"); do
[ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script"
done
FOLDER=
POLL=0
-function check_required_parameter() {
+check_required_parameter () {
# arg1 = parameter
# arg2 = parameter name
if [ -z "$1" ]; then
fi
}
-function check_optional_paramater() {
+check_optional_paramater () {
# arg1 = parameter
# arg2 = parameter name
if [ -z $1 ]; then
echo "Executing instantiation..."
if [ $POLL = 1 ]; then
- kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &"
+ kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &"
- pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"`
+ pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"`
if [ -z "$pid" ]; then
echo "robot testsuite unable to start"
kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "while ps -p \"$pid\" --no-headers | grep -v defunct; do echo \$'\n\n'; echo \"Testsuite still running \"\`date\`; echo \"LOG FILE: \"; tail -10 /tmp/vnf_instantiation.$BUILDNUM.log; sleep 30; done"
else
- kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM"
+ kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM"
fi
-set +x
+set +x
echo "testsuite has finished"
GLOBAL_INJECTED_SO_OPENSTACK_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-openstack-adapter") }}'
GLOBAL_INJECTED_SO_REQDB_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-request-db-adapter") }}'
GLOBAL_INJECTED_SO_SDNC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-sdnc-adapter") }}'
-GLOBAL_INJECTED_SO_VFC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-vfc-adapter") }}'
+GLOBAL_INJECTED_SO_VFC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-etsi-sol005-adapter") }}'
GLOBAL_INJECTED_SO_VNFM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-etsi-sol003-adapter") }}'
GLOBAL_INJECTED_SO_NSSMF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-nssmf-adapter") }}'
GLOBAL_INJECTED_UBUNTU_1404_IMAGE = '{{ .Values.ubuntu14Image }}'
GLOBAL_SO_OPENSTACK_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-openstack-adapter" "port" 8087) }}'
GLOBAL_SO_REQDB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-request-db-adapter" "port" 8083) }}'
GLOBAL_SO_SDNC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-sdnc-adapter" "port" 8086) }}'
-GLOBAL_SO_VFC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-vfc-adapter" "port" 8084) }}'
+GLOBAL_SO_VFC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-etsi-sol005-adapter" "port" 8084) }}'
GLOBAL_SO_VNFM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-etsi-sol003-adapter" "port" 9092) }}'
GLOBAL_SO_NSSMF_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "so-nssmf-adapter" "port" 8088) }}'
GLOBAL_SO_USERNAME = '{{ .Values.soUsername }}'
+#!/bin/bash
+
# Copyright © 2019 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
-#!/bin/bash
-
#
# Generate HV-VES SSL related certs.
# Copy the stuff to HV-VES and Robot pods.
-# SPDX-License-Identifier: Apache-2.0
-
#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+
#
# Create root certificate CA (Certificate Authority) and its private key.
# Create the package certificate issued by CA
# application image
repository: nexus3.onap.org:10001
-image: onap/testsuite:1.7.3
+image: onap/testsuite:1.8.0
pullPolicy: Always
ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end }}
readinessProbe:
exec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ resources: {{ include "common.resources" . | nindent 12 }}
+ startupProbe:
+ exec:
+ command:
+ - "/var/lib/jetty/ready-probe.sh"
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
resources: {{ include "common.resources" . | nindent 12 }}
env:
- name: ENVNAME
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-backend-all-plugins:1.8.4
-backendInitImage: onap/sdc-backend-init:1.8.4
+image: onap/sdc-backend-all-plugins:1.8.5
+backendInitImage: onap/sdc-backend-init:1.8.5
pullPolicy: Always
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# SDC Config part
# probe configuration parameters
liveness:
- initialDelaySeconds: 120
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 3
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
port: api
enabled: true
readiness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 3
+
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 60
service:
type: NodePort
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/sdc-cassandra:1.8.4
-cassandraInitImage: onap/sdc-cassandra-init:1.8.4
+image: onap/sdc-cassandra:1.8.5
+cassandraInitImage: onap/sdc-cassandra-init:1.8.5
pullPolicy: Always
config:
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.internalPort2 }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
- timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort2 }}
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
resources: {{ include "common.resources" . | nindent 12 }}
env:
- name: ENVNAME
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-frontend:1.8.4
+image: onap/sdc-frontend:1.8.5
pullPolicy: Always
config:
# probe configuration parameters
liveness:
- initialDelaySeconds: 10
- periodSeconds: 60
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 3
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 3
+
+startup:
initialDelaySeconds: 10
- periodSeconds: 60
+ periodSeconds: 10
timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 60
service:
#Example service definition with external, internal and node ports.
--- /dev/null
+# ===========LICENSE_START========================================================
+# Copyright (c) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+description: ONAP Service Design and Creation Helm Validator
+name: sdc-helm-validator
+version: 8.0.0
--- /dev/null
+# ===========LICENSE_START========================================================
+# Copyright (c) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+dependencies:
+ - name: repositoryGenerator
+ version: ~8.x-0
+ repository: '@local'
+ - name: common
+ version: ~8.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# ===========LICENSE_START========================================================
+# Copyright (c) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ replicas: 1
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ containers:
+ - name: {{ include "common.name" . }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {{ include "common.resources" . | nindent 12 }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
+ env:
+ - name: LOG_LEVEL
+ value: {{ .Values.config.loggingLevel }}
+ livenessProbe:
+ httpGet:
+ path: {{ .Values.liveness.path }}
+ port: {{ .Values.liveness.port }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
+ startupProbe:
+ httpGet:
+ path: {{ .Values.startup.path }}
+ port: {{ .Values.startup.port }}
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
--- /dev/null
+{{/*
+# ===========LICENSE_START========================================================
+# Copyright (c) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
--- /dev/null
+# ===========LICENSE_START========================================================
+# Copyright (c) 2021 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+# Global values
+global:
+ pullPolicy: Always
+
+image: onap/org.onap.sdc.sdc-helm-validator:1.2.0
+containerPort: &svc_port 8080
+
+config:
+ loggingLevel: INFO
+
+service:
+ type: ClusterIP
+ ports:
+ - name: &port http
+ port: *svc_port
+
+liveness:
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ path: /actuator/health
+ successThreshold: 1
+ failureThreshold: 3
+ port: *port
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ path: /actuator/health
+ successThreshold: 1
+ failureThreshold: 12
+ port: *port
+
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: 1
+ memory: 256Mi
+ requests:
+ cpu: 1
+ memory: 256Mi
+ large:
+ limits:
+ cpu: 2
+ memory: 1Gi
+ requests:
+ cpu: 1
+ memory: 256Mi
+ unlimited: {}
memory: 20Mi
{{- end }}
- name: volume-permissions
- image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+ image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- sh
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end }}
readinessProbe:
exec:
- "/var/lib/jetty/ready-probe.sh"
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
- timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ exec:
+ command:
+ - "/var/lib/jetty/ready-probe.sh"
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
resources: {{ include "common.resources" . | nindent 12 }}
env:
- name: ENVNAME
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-onboard-backend:1.8.4
-onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.4
+image: onap/sdc-onboard-backend:1.8.5
+onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.5
pullPolicy: Always
# flag to enable debugging - application support required
# probe configuration parameters
liveness:
- initialDelaySeconds: 120
- periodSeconds: 60
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 3
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
- initialDelaySeconds: 120
- periodSeconds: 60
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 3
+
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 60
service:
type: ClusterIP
port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end }}
readinessProbe:
tcpSocket:
port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ tcpSocket:
+ port: {{ template "wfd-be.internalPort" . }}
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
env:
- name: JAVA_OPTIONS
value: {{ .Values.config.javaOptions }}
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
initialDelaySeconds: 60
periodSeconds: 10
+# probe configuration parameters
+liveness:
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 60
+
service:
type: NodePort
portName: sdc-wfd-be
port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
+ successThreshold: {{ .Values.liveness.successThreshold }}
+ failureThreshold: {{ .Values.liveness.failureThreshold }}
{{ end }}
readinessProbe:
tcpSocket:
port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ tcpSocket:
+ port: {{ template "wfd-fe.internalPort" . }}
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
env:
- name: ENVNAME
value: {{ .Values.env.name }}
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 1
periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 1
periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 60
service:
type: NodePort
version: ~8.x-0
repository: 'file://components/sdc-wfd-fe'
condition: sdc-wfd.enabled
+ - name: sdc-helm-validator
+ version: ~8.x-0
+ repository: 'file://components/sdc-helm-validator'
+ condition: sdc-helm-validator.enabled
# dependency / sub-chart configuration
sdc-wfd:
enabled: true
+sdc-helm-validator:
+ enabled: true
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-dmaap-listener-image:2.1.3
+image: onap/sdnc-dmaap-listener-image:2.1.6
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-ansible-server-image:2.1.3
+image: onap/sdnc-ansible-server-image:2.1.6
pullPolicy: Always
# flag to enable debugging - application support required
*/}}
debugLog(){
- if [ "$enableDebugLogging" == true ]; then
+ if [ "$enableDebugLogging" = true ]; then
if [ $# -eq 0 ]; then
echo "" >> $LOGFILE
else
*/}}
debugLog(){
- if [ "$enableDebugLogging" == true ]; then
+ if [ "$enableDebugLogging" = true ]; then
if [ $# -eq 0 ]; then
echo "" >> $LOGFILE
else
# should PROM start as passive?
state=$( bin/sdnc.cluster )
-if [ "$state" == "standby" ]; then
+if [ "$state" = "standby" ]; then
echo "Starting PROM in passive mode"
passive="-p"
fi
-{{/*
-#/bin/sh
+#!/bin/sh
+{{/*
# Copyright © 2018 Amdocs
#
# Licensed under the Apache License, Version 2.0 (the "License");
enableDebugLogging=true
debugLog(){
- if [ "$enableDebugLogging" == true ]; then
+ if [ "$enableDebugLogging" = true ]; then
if [ $# -eq 0 ]; then
echo "" >> $LOGFILE
else
- name: TILEURL
value: {{ .Values.config.topologyserver.tileserverUrl }}
{{ end }}
-
+ - name: ENABLE_OAUTH
+ value: "{{ .Values.config.oauth.enabled | default "false" }}"
+ - name: ENABLE_ODLUX_RBAC
+ value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}"
volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
# Application configuration defaults.
#################################################################
# application image
-image: "onap/sdnc-web-image:2.1.3"
+image: "onap/sdnc-web-image:2.1.6"
pullPolicy: Always
config:
sslCertDir: "/opt/app/osaaf/local/certs"
sslCertiticate: "cert.pem"
sslCertKey: "key.pem"
+ oauth:
+ enabled: false
+ odluxRbac:
+ enabled: false
transportpce:
enabled: false
transportpceUrl: http://transportpce.transportpce:8181
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-ueb-listener-image:2.1.3
+image: onap/sdnc-ueb-listener-image:2.1.6
pullPolicy: Always
# flag to enable debugging - application support required
--- /dev/null
+{
+ "tokenSecret": "${OAUTH_TOKEN_SECRET}",
+ "tokenIssuer": {{ .Values.config.sdnr.oauth.tokenIssuer | quote }},
+ "publicUrl": {{ .Values.config.sdnr.oauth.publicUrl | quote }},
+ "redirectUri": "{{ .Values.config.sdnr.oauth.redirectUri | quote | default "null" }}",
+ "supportOdlUsers": "{{ .Values.config.sdnr.oauth.supportOdlUsers | default "true" }}",
+ "providers": {{ .Values.config.sdnr.oauth.providers | toJson }}
+}
\ No newline at end of file
# limitations under the License.
*/}}
-function usage()
+usage ()
{
echo usage: switchVoting.sh primary\|secondary
exit 1
targetPort: {{ .Values.service.internalPort }}
{{- else -}}
port: {{ .Values.service.internalPort4 }}
- target: {{ .Values.service.internalPort4 }}
+ targetPort: {{ .Values.service.internalPort4 }}
{{ end }}
- name: "{{ .Values.service.portName }}-karaf"
port: {{ .Values.service.externalPort2 }}
selector:
statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2
{{ end }}
+
+{{ if .Values.config.sdnr.netconfCallHome.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "common.servicename" . }}-callhome
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: NodePort
+ ports:
+ - name: "{{ .Values.service.portName }}-callhome"
+ port: {{ .Values.service.callHomePort }}
+ targetPort: {{ .Values.service.callHomePort }}
+ nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }}
+ selector:
+ app.kubernetes.io/name: {{ include "common.name" . }}
+ app.kubernetes.io/instance: {{ include "common.release" . }}
+{{ end }}
- name: DMAAP_HTTP_PROXY_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }}
{{- end }}
+ {{ if .Values.config.sdnr.oauth.enabled }}
+ - name: OAUTH_TOKEN_SECRET
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }}
+ - name: KEYCLOAK_SECRET
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }}
+
+ - name: ENABLE_ODLUX_RBAC
+ value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}"
+ {{ end }}
volumeMounts:
{{ if or .Values.dgbuilder.enabled .Values.config.sdnr.enabled -}}
- --container-name
- {{ include "common.mariadbService" . }}
+ - --job-name
+ - {{ include "common.fullname" . }}-dbinit-job
{{ end -}}
{{ if .Values.config.sdnr.enabled -}}
- --container-name
- containerPort: {{ .Values.service.internalPort2 }}
- containerPort: {{ .Values.service.internalPort3 }}
- containerPort: {{ .Values.service.clusterPort }}
+ {{- if .Values.config.sdnr.netconfCallHome.enabled }}
+ - containerPort: {{ .Values.service.callHomePort }}
+ {{- end }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.internalPort }}
- name: ODL_CERT_DIR
value: {{ (mustFirst (.Values.certificates)).mountPath }}
{{- end }}
-
+ - name: ENABLE_OAUTH
+ value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}"
+ - name: SDNR_NETCONF_CALLHOME_ENABLED
+ value: "{{ .Values.config.sdnr.netconfCallHome.enabled | default "false" }}"
volumeMounts:
{{ include "common.certInitializer.volumeMount" . | indent 10 }}
{{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
- mountPath: {{ .Values.config.odl.etcDir }}/org.opendaylight.daexim.cfg
name: properties
subPath: org.opendaylight.daexim.cfg
+ {{- if .Values.config.sdnr.oauth.enabled }}
+ - mountPath: {{ .Values.config.odl.etcDir }}/oauth-provider.config.json
+ name: properties
+ subPath: oauth-provider.config.json
+ {{ end }}
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
login: '{{ .Values.config.scaleoutUser }}'
password: '{{ .Values.config.scaleoutPassword }}'
passwordPolicy: required
+ - uid: oauth-token-secret
+ type: password
+ externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.tokenExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+ password: '{{ .Values.config.sdnr.oauth.tokenSecret }}'
+ passwordPolicy: required
+ - uid: keycloak-secret
+ type: password
+ externalSecret: '{{ ternary (tpl (default "" .Values.config.sdnr.oauth.providersSecrets.keycloakExternalSecret) .) "oauth-disabled" .Values.config.sdnr.oauth.enabled }}'
+ password: '{{ .Values.config.sdnr.oauth.providersSecrets.keycloak }}'
+ passwordPolicy: required
+
#################################################################
# Certificates
#################################################################
outputType:
- jks
passwordSecretRef:
+ create: true
name: sdnc-cmpv2-keystore-password
key: password
issuer:
# application images
pullPolicy: Always
-image: onap/sdnc-image:2.1.3
+image: onap/sdnc-image:2.1.6
# flag to enable debugging - application support required
debugEnabled: false
sdnrdbTrustAllCerts: true
mountpointRegistrarEnabled: false
mountpointStateProviderEnabled: false
+ netconfCallHome:
+ enabled: true
+ #
# enable and set dmaap-proxy for mountpointRegistrar
dmaapProxy:
enabled: false
user: addUserHere
password: addPasswordHere
url: addProxyUrlHere
-
-
-
-
+ oauth:
+ enabled: false
+ tokenIssuer: ONAP SDNC
+ tokenSecret: secret
+ supportOdlusers: true
+ redirectUri: null
+ publicUrl: none
+ odluxRbac:
+ enabled: true
+ # example definition for a oauth provider
+ providersSecrets:
+ keycloak: d8d7ed52-0691-4353-9ac6-5383e72e9c46
+ providers:
+ - id: keycloak
+ type: KEYCLOAK
+ host: http://keycloak:8080
+ clientId: odlux.app
+ secret: ${KEYCLOAK_SECRET}
+ scope: openid
+ title: ONAP Keycloak Provider
+ roleMapping:
+ mykeycloak: admin
# dependency / sub-chart configuration
certInitializer:
geoNodePort5: 65
geoNodePort6: 66
+ callHomePort: 6666
+ callHomeNodePort: 66
+
## Persist data to a persitent volume
persistence:
enabled: true
endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/services/VnfAsync
vfc:
rest:
- endpoint: http://so-vfc-adapter.{{ include "common.namespace" . }}:8084/services/v1/vfcadapter
+ endpoint: http://so-etsi-sol005-adapter.{{ include "common.namespace" . }}:8084/services/v1/vfcadapter
workflow:
message:
endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/bpmn-infra:1.8.1
+image: onap/so/bpmn-infra:1.8.2
pullPolicy: Always
db:
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/catalog-db-adapter:1.8.1
+image: onap/so/catalog-db-adapter:1.8.2
pullPolicy: Always
db:
max-threads: 50
mso:
site-name: localSite
- logPath: ./logs/cnf
+ logPath: ./logs/cnf-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
#Actuator
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/mso-cnf-adapter:1.8.0
+image: onap/so/so-cnf-adapter:1.8.3
pullPolicy: Always
readinessCheck:
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8090
-logPath: ./logs/cnf/
+logPath: ./logs/cnf-adapter/
app: cnf-adapter
service:
type: ClusterIP
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Kubernetes
-name: so-vfc-adapter
+name: so-etsi-sol005-adapter
version: 8.0.0
max-threads: 50
mso:
site-name: localSite
- logPath: ./logs/vfc
+ logPath: ./logs/etsi-sol005-adapter
config:
cadi: {{ include "so.cadi.keys" . | nindent 8}}
msb-ip: msb-iag
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/vfc-adapter:1.7.11
+image: onap/so/so-etsi-sol005-adapter:1.8.3
pullPolicy: Always
db:
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8084
-logPath: ./logs/vfc/
-app: vfc-adapter
+logPath: ./logs/etsi-sol005-adapter/
+app: etsi-sol005-adapter
service:
type: ClusterIP
internalPort: *containerPort
externalPort: *containerPort
- portName: so-vfc-port
+ portName: http
updateStrategy:
type: RollingUpdate
maxUnavailable: 1
# soHelpers part
#################################################################
soHelpers:
- nameOverride: so-vfc-cert-init
+ nameOverride: so-etsi-sol005-cert-init
certInitializer:
- nameOverride: so-vfc-cert-init
+ nameOverride: so-etsi-sol005-cert-init
credsPath: /opt/app/osaaf/local
cadi:
apiEnforcement: org.onap.so.vfcAdapterPerm
mso:
site-name: localSite
- logPath: ./logs/nssmf
+ logPath: ./logs/nssmf-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
adapters:
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/nssmf-adapter:1.8.0
+image: onap/so/so-nssmf-adapter:1.8.3
pullPolicy: Always
db:
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8088
-logPath: ./logs/nssmf/
+logPath: ./logs/nssmf-adapter/
app: nssmf-adapter
service:
type: ClusterIP
mso:
site-name: localSite
- logPath: ./logs/oof
+ logPath: ./logs/oof-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
msoKey: ${MSO_KEY}
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/so-oof-adapter:1.8.2
+image: onap/so/so-oof-adapter:1.8.3
pullPolicy: Always
mso:
containerPort: &containerPort 8090
minReadySeconds: 10
containerPort: *containerPort
-logPath: ./logs/oof/
+logPath: ./logs/oof-adapter/
app: so-oof-adapter
service:
type: ClusterIP
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/openstack-adapter:1.8.1
+image: onap/so/openstack-adapter:1.8.2
pullPolicy: Always
db:
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/request-db-adapter:1.8.1
+image: onap/so/request-db-adapter:1.8.2
pullPolicy: Always
db:
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/sdc-controller:1.8.1
+image: onap/so/sdc-controller:1.8.2
pullPolicy: Always
db:
unassign: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
vnf-topology-operation:
create: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
+ update: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
activate: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
assign: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
changeassign: POST|270000|sdncurl10|sdnc-request-header|org:onap:sdnc:northbound:generic-resource
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/sdnc-adapter:1.8.1
+image: onap/so/sdnc-adapter:1.8.2
pullPolicy: Always
org:
version: ~8.x-0
repository: 'file://components/so-ve-vnfm-adapter'
condition: so-ve-vnfm-adapter.enabled
- - name: so-vfc-adapter
+ - name: so-etsi-sol005-adapter
version: ~8.x-0
- repository: 'file://components/so-vfc-adapter'
- condition: so-vfc-adapter.enabled
+ repository: 'file://components/so-etsi-sol005-adapter'
+ condition: so-etsi-sol005-adapter.enabled
userName: so_user
adminName: so_admin
-image: onap/so/api-handler-infra:1.8.1
+image: onap/so/api-handler-infra:1.8.2
server:
aaf:
so-ve-vnfm-adapter:
enabled: false
-so-vfc-adapter:
+so-etsi-sol005-adapter:
enabled: true
db:
<<: *dbSecrets
# application image
repository: nexus3.onap.org:10001
-image: onap/usecase-ui-server:3.0.7
+image: onap/usecase-ui-server:4.0.1
pullPolicy: Always
# application configuration
flavor: small
# application image
-image: onap/usecase-ui:3.0.6
+image: onap/usecase-ui:4.0.1
pullPolicy: Always
# application configuration
disableNfsProvisioner: true
serviceAccount:
nameOverride: *vfc-mariadb
+ replicaCount: 1
db: &dbConfig
mariadbService: vfc-mariadb
workflowPort: 10550
vfc-zte-vnfm-driver:
- enabled: true
\ No newline at end of file
+ enabled: true
[testenv:docs]
deps = -rdocs/requirements-docs.txt
commands =
- sphinx-build -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html
+ sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html
[testenv:docs-linkcheck]
deps = -rdocs/requirements-docs.txt
-commands = sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck
+commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck
[testenv:spelling]
#basepython = python3
commands =
gitlint
+[testenv:checkbashisms]
+deps =
+whitelist_externals = sh
+ find
+ checkbashisms
+commands =
+ sh -c 'which checkbashisms>/dev/null || sudo yum install devscripts-minimal || sudo apt-get install devscripts \
+ || (echo "checkbashisms command not found - please install it (e.g. sudo apt-get install devscripts | \
+ yum install devscripts-minimal )" >&2 && exit 1)'
+ find . -not -path '*/\.*' -name *.sh -exec checkbashisms -f \{\} +
+
[testenv:autopep8]
deps = autopep8
commands =