.. table:: OOM Software Requirements
- ============== =========== ======= ======== ========
- Release Kubernetes Helm kubectl Docker
- ============== =========== ======= ======== ========
+ ============== =========== ======= ======== ======== ============
+ Release Kubernetes Helm kubectl Docker Cert-Manager
+ ============== =========== ======= ======== ======== ============
amsterdam 1.7.x 2.3.x 1.7.x 1.12.x
beijing 1.8.10 2.8.2 1.8.10 17.03.x
casablanca 1.11.5 2.9.1 1.11.5 17.03.x
frankfurt 1.15.9 2.16.6 1.15.11 18.09.x
guilin 1.15.11 2.16.10 1.15.11 18.09.x
Honolulu 1.19.9 3.5.2 1.19.9 19.03.x
- ============== =========== ======= ======== ========
+ Istanbul 1.2.0
+ ============== =========== ======= ======== ======== ============
.. note::
Guilin version also supports Kubernetes up to version 1.19.x and should work
> cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins
> helm plugin install https://github.com/chartmuseum/helm-push.git
-**Step 3** Install Chartmuseum::
+**Step 3.** Install Chartmuseum::
> curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum
> chmod +x ./chartmuseum
> mv ./chartmuseum /usr/local/bin
-**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
+**Step 4.** Install Cert-Manager::
+
+ > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
+
+More details can be found :doc:`here <oom_setup_paas>`.
+
+**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or
an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file
to suit your deployment with items like the OpenStack tenant information.
-.. note::
- If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed.
- :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager.
-
-
-
a. Enabling/Disabling Components:
Here is an example of the nominal entries that need to be provided.
We have different values file available for different contexts.
:language: yaml
-**Step 5.** To setup a local Helm server to server up the ONAP charts::
+**Step 6.** To setup a local Helm server to server up the ONAP charts::
> chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 &
> helm repo add local http://127.0.0.1:8879
-**Step 6.** Verify your Helm repository setup with::
+**Step 7.** Verify your Helm repository setup with::
> helm repo list
NAME URL
local http://127.0.0.1:8879
-**Step 7.** Build a local Helm repository (from the kubernetes directory)::
+**Step 8.** Build a local Helm repository (from the kubernetes directory)::
> make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap
Sets the helm binary to be used. The default value use helm from PATH
-**Step 8.** Display the onap charts that available to be deployed::
+**Step 9.** Display the onap charts that available to be deployed::
> helm repo update
> helm search repo onap
to your deployment charts or values be sure to use ``make`` to update your
local Helm repository.
-**Step 9.** Once the repo is setup, installation of ONAP can be done with a
+**Step 10.** Once the repo is setup, installation of ONAP can be done with a
single command
.. note::
you want to use to deploy VNFs from ONAP and/or additional parameters for the
embedded tests.
-**Step 10.** Verify ONAP installation
+**Step 11.** Verify ONAP installation
Use the following to monitor your deployment and determine when ONAP is ready
for use::
> ~/oom/kubernetes/robot/ete-k8s.sh onap health
-**Step 11.** Undeploy ONAP
+**Step 12.** Undeploy ONAP
::
> helm undeploy dev
.. _oom_setup_paas:
-ONAP PaaS set-up (optional)
-###########################
+ONAP PaaS set-up
+################
Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part
-of k8s PaaS for ONAP operations and can be optionally installed to provide
+of k8s PaaS for ONAP operations and can be installed to provide
additional functionality for ONAP engineers.
The versions of PaaS compoents that are supported by OOM are as follows:
> kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
-Prometheus Stack
-================
+Prometheus Stack (optional)
+===========================
Prometheus is an open-source systems monitoring and alerting toolkit with
an active ecosystem.
Pre-requisites
--------------
-Your environment must have both the Kubernetes `kubectl` and Helm setup as a
-one time activity.
+Your environment must have the Kubernetes `kubectl` with Cert-Manager
+and Helm setup as a one time activity.
Install Kubectl
~~~~~~~~~~~~~~~
At this point you should see Kubernetes pods running.
+Install Cert-Manager
+~~~~~~~~~~~~~~~~~~~~
+Details on how to install Cert-Manager can be found
+:doc:`here <oom_setup_paas>`.
+
Install Helm
~~~~~~~~~~~~
Helm is used by OOM for package and configuration management. To install Helm,
| **Release designation** | Honolulu |
| | |
+--------------------------------------+--------------------------------------+
-| **Release date** | 2020/12/03 |
+| **Release date** | 2021/04/29 |
| | |
+--------------------------------------+--------------------------------------+
* Kubernetes support for version up to 1.20
* Helm support for version up to 3.5
* Limits are set for most of the components
+* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack
+* CMPv2 external issuer implemented which extends Cert-Manager with ability to
+ enroll X.509 certificates from CMPv2 servers
+* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual
+ Stack
+* Bump version of common PostgreSQL and ElasticSearch
+* Move to automatic certificates retrieval for 80% of the components
+* Consistent retrieval of docker images, with ability to configure proxy for
+ the 4 repositories used by ONAP
**Bug fixes**
A list of issues resolved in this release can be found here:
-https://jira.onap.org/projects/OOM/versions/10826
+https://jira.onap.org/projects/OOM/versions/11073
-**Known Issues**
+major issues solved:
-- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_
- bitnami mariadb galera image doesn't support single quote in password.
+* Better handling of persistence on PostgreSQL
+* Better Ingress templating
+* Better Service templating
+**Known Issues**
+- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8
+- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell:
+ log:list: Error executing command: Unrecognized configuration
+- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup
+ not complete
+- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor
+ does not work with local DB
+- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding
+ custom cert to SDNC ONAP during deployment
+- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in
+ for value with multi-level replacement
+- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB
+ deployment fails
+- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with
+ CertInitializer template
+- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures
+ seen after bringing down/up control plane & worker node VM instances on which
+ ONAP hosted
+- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb
+ readinessCheck fails for local MariaDB instance
+- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails
+ on local MariaDB instance
+- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for
+ scaleoutUser/restconfUser/odlUser
Deliverables
------------
org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}"
org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}"
+org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}"
org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'}
org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'}
org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'}
org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}"
org.onap.clamp|owner|AAF Namespace Owners|
org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}"
-org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*'}"
+org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}"
org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}"
org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}"
org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}"
mountSubPath: "cass"
volumeReclaimPolicy: Retain
accessMode: ReadWriteOnce
- size: 20Gi
+ size: 5Gi
--- /dev/null
+spring.autoconfigure.exclude=\
+ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+
+multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }}
+keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth
+keycloak.realm={{ .Values.config.keycloak.realm }}
+keycloak.resource={{ .Values.config.keycloak.resource }}
+keycloak.public-client=false
+keycloak.principal-attribute=preferred_username
+
+keycloak.ssl-required=external
+keycloak.bearer-only=true
{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
---
apiVersion: v1
- mountPath: /opt/app/aai-traversal/resources/application.properties
name: {{ include "common.fullname" . }}-config
subPath: application.properties
+ - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties
+ name: {{ include "common.fullname" . }}-config
+ subPath: application-keycloak.properties
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth
+ active: production,dmaap,aaf-auth #,keycloak
# Notification event specific properties
notification:
# application configuration
config:
+ # configure keycloak according to your environment.
+ # don't forget to add keycloak in active profiles above (global.config.profiles)
+ keycloak:
+ host: keycloak.your.domain
+ port: 8180
+ # Specifies a set of users, credentials, roles, and groups
+ realm: aai-traversal
+ # Used by any client application for enabling fine-grained authorization for their protected resources
+ resource: aai-traversal-app
+ # If set to true, additional criteria will be added into traversal query to returns all the vertices that match
+ # the data-owner property with the given role to the user in keycloak
+ multiTenancy:
+ enabled: true
+
# Specifies timeout information such as application specific and limits
timeout:
# If set to true application will timeout for queries taking longer than limit
cadi_longitude: "-72.0"
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving password for keystore"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- cd {{ .Values.credsPath }};
- mkdir -p certs;
- echo "*** transform AAF certs into pem files"
- mkdir -p {{ .Values.credsPath }}/certs
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key file"
- cp {{ .Values.fqi_namespace }}.key certs/key.pem;
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 {{ .Values.credsPath }}
- fi
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key file"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/key.pem
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
#################################################################
# Application configuration defaults.
# Wait for database to init properly
#
echo "Waiting for mariadbgalera"
-until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null
+until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1
do
printf "."
sleep 1
disableNfsProvisioner: true
serviceAccount:
nameOverride: *appc-db
+ replicaCount: 1
dgbuilder:
nameOverride: appc-dgbuilder
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
successThreshold: {{ .Values.readiness.successThreshold }}
failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
env:
{{- $seed_size := default 1 .Values.replicaCount | int -}}
{{- $global := . }}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
enabled: true
readiness:
- initialDelaySeconds: 120
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 90
+
service:
name: cassandra
headless:
## storageClass: "-"
## Not set as it depends of the backup enabledment or not.
accessMode: ReadWriteOnce
- size: 2Gi
+ size: 10Gi
mountPath: /dockerdata-nfs
mountSubPath: cassandra
storageType: local
*/}}
CERTS_DIR=${CERTS_DIR:-/certs}
+MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs}
WORK_DIR=${WORK_DIR:-/updatedTruststore}
ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks}
JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts}
fi
done
+for f in $MORE_CERTS_DIR/*; do
+ if [ ${f: -4} == ".pem" ]
+ then
+ cp $f $WORK_DIR/.
+ fi
+done
+
# Prepare truststore output file
if [ "$AAF_ENABLED" = "true" ]
then
- mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
+ echo "AAF is enabled, use 'AAF' truststore"
+ export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE}
else
echo "AAF is disabled, using JRE truststore"
cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME
--- /dev/null
+#!/bin/sh
+
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "*** retrieving certificates and keys"
+export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0)
+export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0)
+export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0)
+echo "*** creating tls secret"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ tpl .Values.ingressTlsSecret . }}
+ namespace: {{ include "common.namespace" . }}
+data:
+ ca.crt: "${CACERT}"
+ tls.crt: "${CRT}"
+ tls.key: '${KEY}'
+type: kubernetes.io/tls
+EOF
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
+*/ -}}
+
echo "*** retrieving passwords for certificates"
export $(/opt/app/aaf_config/bin/agent.sh local showpass \
{{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
--- /dev/null
+#!/bin/sh
+
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "--- Cert transformation for use with Ingress"
+echo "*** transform AAF certs into pem files"
+mkdir -p {{ .Values.credsPath }}/certs
+keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/tls.key
+echo "--- Done"
{{/*
# Copyright © 2020 Bell Canada, Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
subPath: retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
+ subPath: tls_certs_configure.sh
+{{- end }}
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
- |
/opt/app/aaf_config/bin/agent.sh
. /opt/app/aaf_config/bin/retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ /opt/app/aaf_config/bin/tls_certs_configure.sh
+{{- end -}}
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
volumeMounts:
- mountPath: /certs
name: aaf-agent-certs
+ - mountPath: /more_certs
+ name: provided-custom-certs
- mountPath: /root/import-custom-certs.sh
name: aaf-agent-certs
subPath: import-custom-certs.sh
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
+{{- if $dot.Values.global.importCustomCertsEnabled }}
+- name: provided-custom-certs
+{{- if $dot.Values.global.customCertsSecret }}
+ secret:
+ secretName: {{ $dot.Values.global.customCertsSecret }}
+{{- else }}
+{{- if $dot.Values.global.customCertsConfigMap }}
+ configMap:
+ name: {{ $dot.Values.global.customCertsConfigMap }}
+{{- else }}
+ emptyDir:
+ medium: Memory
+{{- end }}
+{{- end }}
+{{- end }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
{{/*
# Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }}
+{{- end }}
{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "ingress" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }}
+{{- end }}
--- /dev/null
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if hasKey .Values "ingressTlsSecret" }}
+apiVersion: batch/v1
+kind: Job
+{{- $suffix := "set-tls-secret" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+spec:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ containers:
+ - name: create tls secret
+ command:
+ - /ingress/onboard.sh
+ image: {{ include "repositoryGenerator.image.kubectl" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }}
+ - name: ingress-scripts
+ mountPath: /ingress
+ volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: ingress-scripts
+ configMap:
+ name: {{ include "common.fullname" . }}-ingress
+ defaultMode: 0777
+{{- end}}
global:
aafAgentImage: onap/aaf/aaf_agent:2.1.20
aafEnabled: true
+ # Give the name of a config map where certInitializer will onboard all certs
+ # given (certs must be in pem format)
+ customCertsConfigMap:
+ # Give the name of a secret where certInitializer will onboard all certs given
+ # (certs must be in pem format)
+ # this one superseedes previous one (so if both are given, only certs from
+ # secret will be onboarded).
+ customCertsSecret:
+
pullPolicy: Always
- aaf-cm
- aaf-service
-aafDeployFqi: "changeme"
fqdn: ""
app_ns: "org.osaaf.aaf"
fqi: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
envVarToCheck: cadi_keystore_password_p12
+# ingressTlsSecret:
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.
{{ end }}
{{- end -}}
+{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}}
+
{{- define "common.certManager.volumeMounts" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
sources:
- secret:
name: {{ $certificatesSecretName }}
- {{- if $certificate.keystore }}
items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
{{- range $outputType := $certificate.keystore.outputType }}
- key: keystore.{{ $outputType }}
path: keystore.{{ $outputType }}
{{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
{{- end -}}
{{ $certsLinkCommand }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
+
+{{/*Using templates below allows only read access to volume mounted at $mountPath*/}}
+
+{{- define "common.certManager.volumeMountsReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumesReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ items:
+ - key: tls.key
+ path: key.pem
+ - key: tls.crt
+ path: cert.pem
+ - key: ca.crt
+ path: cacert.pem
+ {{- if $certificate.keystore }}
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
livenessProbe:
exec:
command:
- - bash
+ - sh
- -ec
- |
exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
readinessProbe:
exec:
command:
- - bash
+ - sh
- -ec
- |
exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
+ {{- if .Values.startupProbe.enabled }}
+ startupProbe:
+ exec:
+ command:
+ - sh
+ - -ec
+ - |
+ exec mysqladmin status -u$MARIADB_ROOT_USER -p$MARIADB_ROOT_PASSWORD
+ initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.startupProbe.successThreshold }}
+ failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+ {{- end }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
- name: previous-boot
resources:
small:
limits:
- cpu: 500m
- memory: 2.5Gi
+ cpu: 1
+ memory: 4Gi
requests:
- cpu: 100m
- memory: 750Mi
+ cpu: 500m
+ memory: 2Gi
large:
limits:
cpu: 2
- memory: 4Gi
+ memory: 6Gi
requests:
cpu: 1
- memory: 2Gi
+ memory: 3Gi
unlimited: {}
## MariaDB Galera containers' liveness and readiness probes
##
livenessProbe:
enabled: true
- ## Initializing the database could take some time
- ##
- initialDelaySeconds: 150
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
enabled: true
- initialDelaySeconds: 60
+ initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
+startupProbe:
+ ## Initializing the database could take some time
+ ##
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ # will wait up for initialDelaySeconds + failureThreshold*periodSeconds before
+ # stating startup wasn't good (910s per default)
+ failureThreshold: 90
## Pod disruption budget configuration
##
credsPath: /opt/app/osaaf/local
appMountPath: /opt/app/aafcertman
aaf_add_config: >
- cd {{ .Values.credsPath }};
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1;
+ echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass;
replicaCount: 1
ejbca:
- image: primekey/ejbca-ce:6.15.2.5
+ image: primekey/ejbca-ce:7.4.3.2
pullPolicy: Always
mariadb-galera:
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- mountPath: /opt/app/osaaf
name: tls-info
{{- end }}
+ {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
containers:
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
{{- if $certDir }}
- name: DCAE_CA_CERTPATH
- value: {{ $certDir}}/cacert.pem
+ value: {{ $certDir }}/cacert.pem
{{- end }}
- name: CONSUL_HOST
value: consul-server.onap
{{- if $certDir }}
- mountPath: {{ $certDir }}
name: tls-info
+ {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+ {{- end -}}
{{- end }}
{{- if $policy }}
- name: policy-shared
name: onap-policy-xacml-pdp-api-creds
key: password
- name: POLICY_SYNC_PDP_URL
- value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
+ value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
- name: POLICY_SYNC_OUTFILE
value : "/etc/policies/policies.json"
- name: POLICY_SYNC_V1_DECISION_ENDPOINT
{{- if $certDir }}
- emptyDir: {}
name: tls-info
+ {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+ {{- end }}
{{- end }}
{{- if $policy }}
- name: policy-shared
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end -}}
+
+{{/*
+ For internal use
+
+ Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+ and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+ {{- $certDir := default "" .Values.certDirectory . -}}
+ {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+ {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+ {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+ {{- $certType := "pem" -}}
+ {{- if $cmpv2Certificate.keystore -}}
+ {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+ {{- end -}}
+ {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+ {{- $truststoresPasswordPaths := ":" -}}
+ {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+ {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+ {{- if not (eq $certType "pem") -}}
+ {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+ {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+ {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+ {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+ {{- end }}
+ - name: cert-post-processor
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+ {{- include "common.resources" . | nindent 4 }}
+ volumeMounts:
+ - mountPath: {{ $certDir }}
+ name: tls-info
+ {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+ env:
+ - name: TRUSTSTORES_PATHS
+ value: {{ $truststoresPaths | quote}}
+ - name: TRUSTSTORES_PASSWORDS_PATHS
+ value: {{ $truststoresPasswordPaths | quote }}
+ - name: KEYSTORE_SOURCE_PATHS
+ value: {{ $keystoreSourcePaths | quote }}
+ - name: KEYSTORE_DESTINATION_PATHS
+ value: {{ $keystoreDestinationPaths | quote }}
+ {{- end }}
+{{- end -}}
# limitations under the License.
# ============LICENSE_END=========================================================
# dcaegen2-services-common templates get any values from the scope
-# they are passed. There are no locally-defined values.
\ No newline at end of file
+# they are passed. There are no locally-defined values.
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
password: '{{ .Values.aafCreds.password }}'
passwordPolicy: required
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /etc/ves-hv/ssl/external
+ commonName: dcae-hv-ves-collector
+ dnsNames:
+ - dcae-hv-ves-collector
+ - hv-ves-collector
+ - hv-ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: hv-ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: dcaegen2-services-common
version: ~8.x-0
repository: 'file://../../common/dcaegen2-services-common'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+{{ include "certManagerCertificate.certificate" . }}
+{{ end }}
#============LICENSE_START========================================================
# ================================================================================
# Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
#################################################################
# Application configuration defaults.
# and key from AAF and mount them in certDirectory.
tlsServer: true
+# CMPv2 certificate
+# It is used only when global parameter cmpv2Enabled is true
+# Disabled by default
+certificates:
+ - mountPath: /opt/app/dcae-certificate/external
+ commonName: dcae-ves-collector
+ dnsNames:
+ - dcae-ves-collector
+ - ves-collector
+ - ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: ves-cmpv2-keystore-password
+ key: password
+ create: true
+
# dependencies
readinessCheck:
wait_for:
resources:
small:
limits:
- cpu: 0.6
- memory: 1Gi
+ cpu: 2
+ memory: 2Gi
requests:
- cpu: 0.4
- memory: 600Mib
+ cpu: 1
+ memory: 1Gi
large:
limits:
cpu: 4
usage() {
cat << EOF
-Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases
+Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases
The umbrella Helm Chart is broken apart into a parent release and subchart releases.
Subcharts the are disabled (<chart>.enabled=false) will not be installed or upgraded.
cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \
| sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES
else
- SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")"
+ SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)"
if [[ -d "$SUBCHART_DIR" ]]; then
if [[ -z "$END" ]]; then
cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \
RELEASE=$1
CHART_URL=$2
FLAGS=${@:3}
- CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")"
- CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")"
+ CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)"
+ CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)"
if [[ $HELM_VER = "v3."* ]]; then
CACHE_DIR=~/.local/share/helm/plugins/deploy/cache
else
DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS")
# determine if upgrading individual subchart or entire parent + subcharts
- SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")"
+ SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)"
# update specified subchart without parent
- RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")"
+ RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)"
if [[ $SUBCHART_RELEASE = $RELEASE ]]; then
SUBCHART_RELEASE=
fi
n=${#array[*]}
for (( i = n-1; i >= 0; i-- )); do
if [[ $HELM_VER = "v3."* ]]; then
- helm del "${array[i]}"
+ helm del "${array[i]}"
else
helm del "${array[i]}" --purge
fi
usage() {
cat << EOF
-Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'.
+Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'.
Example of deleting all Releases that have the prefix 'demo'.
$ helm undeploy demo
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
certEndpoint: v1/certificate
caName: RA
certSecretRef:
- name: oom-cert-service-server-tls-secret
+ name: oom-cert-service-client-tls-secret
certRef: tls.crt
keyRef: tls.key
cacertRef: ca.crt
+++ /dev/null
-{{/*
- # Copyright © 2020, Nokia
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-*/}}
-
-{{- if .Values.global.offlineDeploymentBuild }}
-apiVersion: apps/v1
-kind: Deployment
-metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
-spec:
- replicas: {{ .Values.replicaCount }}
- selector: {{- include "common.selectors" . | nindent 4 }}
- template:
- metadata: {{- include "common.templateMetadata" . | nindent 6 }}
- spec:
- containers:
- - name: {{ include "common.name" . }}
- image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-{{ end -}}
# Standard OOM
pullPolicy: "Always"
repository: "nexus3.onap.org:10001"
- offlineDeploymentBuild: false
# Service configuration
port: 8443
port_protocol: http
-# Certificates generation configuration
-certificateGenerationImage: onap/integration-java11:7.2.0
-
# Deployment configuration
repository: "nexus3.onap.org:10001"
image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
uid: 101
gid: 102
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements
#The log folder that will be used in logback.xml file
-clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config.json
+clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json
#
# Configuration Settings for Policy Engine Components
-clamp.config.policy.api.url=https4://policy-api.{{ include "common.namespace" . }}:6969
+clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969
clamp.config.policy.api.userName=healthcheck
clamp.config.policy.api.password=zb!XztG34
-clamp.config.policy.pap.url=https4://policy-pap.{{ include "common.namespace" . }}:6969
+clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969
clamp.config.policy.pap.userName=healthcheck
clamp.config.policy.pap.password=zb!XztG34
#DCAE Inventory Url Properties
-clamp.config.dcae.inventory.url=https4://inventory.{{ include "common.namespace" . }}:8080
-clamp.config.dcae.dispatcher.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080
+clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
#DCAE Deployment Url Properties
-clamp.config.dcae.deployment.url=https4://deployment-handler.{{ include "common.namespace" . }}:8443
+clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443
clamp.config.dcae.deployment.userName=none
clamp.config.dcae.deployment.password=none
# limitations under the License.
*/}}
-mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
+mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
"consumerId": "clamp",
"environmentName": "AUTO",
"sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443",
- "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
+ "password": "${SDC_CLIENT_PASSWORD_ENC}",
"pollingInterval":30,
"pollingTimeout":30,
"activateServerTLSAuth":"false",
- |
{{- if .Values.global.aafEnabled }}
export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0)
+ export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`;
+ envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json"
{{- end }}
java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar
ports:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }}
- name: MYSQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }}
+ - name: SDC_CLIENT_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }}
{{- if ne "unlimited" (include "common.flavor" .) }}
- name: JAVA_RAM_CONFIGURATION
value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75
credsPath: /opt/app/osaaf/local
aaf_add_config: >
/opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd;
cd {{ .Values.credsPath }};
chmod a+rx *;
login: '{{ .Values.db.user }}'
password: '{{ .Values.db.password }}'
passwordPolicy: required
+ - uid: sdc-creds
+ type: password
+ externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}'
+ password: '{{ .Values.sdc.clientPassword }}'
+ passwordPolicy: required
flavor: small
# application image
-image: onap/policy-clamp-backend:6.0.2
+image: onap/policy-clamp-backend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
#####dummy values for db user and password to pass lint!!!#######
+sdc:
+ clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+
db:
user: policy_user
password: policy_user
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0);
cd {{ .Values.credsPath }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }};
flavor: small
# application image
-image: onap/policy-clamp-frontend:6.0.2
+image: onap/policy-clamp-frontend:6.1.1
pullPolicy: Always
# flag to enable debugging - application support required
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci;
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
cpu: 200m
memory: 2Gi
unlimited: {}
-
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# default number of instances
replicaCount: 1
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
- if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+ if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then
break
fi
sleep 1
# Creates a custom database and user if specified
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Creating database ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
+ echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql
fi
if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
mysql_note "Creating user ${MYSQL_USER}"
- docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
+ echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
- docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
+ echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql
fi
- docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
+ echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql
fi
}
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# flag to enable debugging - application support required
debugEnabled: false
echo "Executing instantiation..."
if [ $POLL = 1 ]; then
- kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &"
+ kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &"
- pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"`
+ pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"`
if [ -z "$pid" ]; then
echo "robot testsuite unable to start"
kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "while ps -p \"$pid\" --no-headers | grep -v defunct; do echo \$'\n\n'; echo \"Testsuite still running \"\`date\`; echo \"LOG FILE: \"; tail -10 /tmp/vnf_instantiation.$BUILDNUM.log; sleep 30; done"
else
- kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM"
+ kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM"
fi
-set +x
+set +x
echo "testsuite has finished"
# application image
repository: nexus3.onap.org:10001
-image: onap/testsuite:1.7.3
+image: onap/testsuite:1.8.0
pullPolicy: Always
ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# SDC Config part
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
memory: 20Mi
{{- end }}
- name: volume-permissions
- image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
+ image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- sh
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
truststoreFile: "org.onap.sdc.trust.jks"
permission_user: 352070
permission_group: 35953
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
#################################################################
# Application configuration defaults.
selector:
statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2
{{ end }}
+
+{{ if .Values.config.sdnr.netconfCallHome.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "common.servicename" . }}-callhome
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: NodePort
+ ports:
+ - name: "{{ .Values.service.portName }}-callhome"
+ port: {{ .Values.service.callHomePort }}
+ targetPort: {{ .Values.service.callHomePort }}
+ nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }}
+ selector:
+ app.kubernetes.io/name: {{ include "common.name" . }}
+ app.kubernetes.io/instance: {{ include "common.release" . }}
+{{ end }}
- containerPort: {{ .Values.service.internalPort2 }}
- containerPort: {{ .Values.service.internalPort3 }}
- containerPort: {{ .Values.service.clusterPort }}
+ {{- if .Values.config.sdnr.netconfCallHome.enabled }}
+ - containerPort: {{ .Values.service.callHomePort }}
+ {{- end }}
readinessProbe:
tcpSocket:
port: {{ .Values.service.internalPort }}
{{- end }}
- name: ENABLE_OAUTH
value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}"
+ - name: SDNR_NETCONF_CALLHOME_ENABLED
+ value: "{{ .Values.config.sdnr.netconfCallHome.enabled | default "false" }}"
volumeMounts:
{{ include "common.certInitializer.volumeMount" . | indent 10 }}
{{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
sdnrdbTrustAllCerts: true
mountpointRegistrarEnabled: false
mountpointStateProviderEnabled: false
+ netconfCallHome:
+ enabled: true
#
# enable and set dmaap-proxy for mountpointRegistrar
dmaapProxy:
geoNodePort5: 65
geoNodePort6: 66
+ callHomePort: 6666
+ callHomeNodePort: 66
+
## Persist data to a persitent volume
persistence:
enabled: true
disableNfsProvisioner: true
serviceAccount:
nameOverride: *vfc-mariadb
+ replicaCount: 1
db: &dbConfig
mariadbService: vfc-mariadb
workflowPort: 10550
vfc-zte-vnfm-driver:
- enabled: true
\ No newline at end of file
+ enabled: true
Code Review / oom.git / commitdiff