From: Krzysztof Opasiak Date: Tue, 11 May 2021 12:30:14 +0000 (+0000) Subject: Merge "[COMMON] Add custom certs into AAF truststore" X-Git-Tag: 9.0.0~272 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=21349802fd5b6aea04b66630f108b3603930c7c4;hp=ff5947f44df7f274e443768bdbe80928e96c412d Merge "[COMMON] Add custom certs into AAF truststore" --- diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 5136e537f6..2fedc091d8 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -67,6 +67,12 @@ to suit your deployment with items like the OpenStack tenant information. +.. note:: + If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed. + :doc:`Click here ` to see how to install Cert-Manager. + + + a. Enabling/Disabling Components: Here is an example of the nominal entries that need to be provided. We have different values file available for different contexts. diff --git a/docs/release-notes.rst b/docs/release-notes.rst index d8e529a347..ae0ea457f5 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -42,7 +42,7 @@ Release Data | **Release designation** | Honolulu | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2020/12/03 | +| **Release date** | 2021/04/29 | | | | +--------------------------------------+--------------------------------------+ @@ -52,18 +52,53 @@ New features * Kubernetes support for version up to 1.20 * Helm support for version up to 3.5 * Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 +https://jira.onap.org/projects/OOM/versions/11073 -**Known Issues** +major issues solved: -- ``_ - bitnami mariadb galera image doesn't support single quote in password. +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating +**Known Issues** +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2435 `_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 `_ NetBox demo entry setup + not complete +- `OOM-2706 `_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 `_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 `_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 `_ SO with local MariaDB + deployment fails +- `OOM-2538 `_ strange error with + CertInitializer template +- `OOM-2547 `_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 `_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 `_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 `_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser Deliverables ------------ diff --git a/kubernetes/a1policymanagement/templates/deployment.yaml b/kubernetes/a1policymanagement/templates/deployment.yaml index 822c0e3cb1..0d8399c8b3 100644 --- a/kubernetes/a1policymanagement/templates/deployment.yaml +++ b/kubernetes/a1policymanagement/templates/deployment.yaml @@ -19,7 +19,14 @@ kind: Deployment apiVersion: apps/v1 -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ include "common.release" . }}" + heritage: "{{ .Release.Service }}" spec: replicas: {{ index .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} @@ -101,7 +108,9 @@ spec: subPath: application_configuration.json - name: config mountPath: /opt/app/policy-agent/config/application.yaml - subPath: application.yaml + subPath: application.yaml + - name: vardata + mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-policy-conf-input @@ -114,3 +123,6 @@ spec: - name: config emptyDir: medium: Memory + - name: vardata + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} diff --git a/kubernetes/a1policymanagement/templates/pv.yaml b/kubernetes/a1policymanagement/templates/pv.yaml new file mode 100644 index 0000000000..904d863b03 --- /dev/null +++ b/kubernetes/a1policymanagement/templates/pv.yaml @@ -0,0 +1,42 @@ +{{/* +################################################################################ +# Copyright (c) 2021 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +{{- if not .Values.persistence.storageClass -}} +kind: PersistentVolume +apiVersion: v1 +metadata: + name: {{ include "common.fullname" . }}-data + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: "{{ include "common.release" . }}" + heritage: "{{ .Release.Service }}" + name: {{ include "common.fullname" . }} +spec: + capacity: + storage: {{ .Values.persistence.size}} + accessModes: + - {{ .Values.persistence.accessMode }} + persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} + storageClassName: "{{ include "common.fullname" . }}-data" + hostPath: + path: {{ .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app +{{- end -}} +{{- end -}} diff --git a/kubernetes/a1policymanagement/templates/pvc.yaml b/kubernetes/a1policymanagement/templates/pvc.yaml new file mode 100644 index 0000000000..4183edfdbb --- /dev/null +++ b/kubernetes/a1policymanagement/templates/pvc.yaml @@ -0,0 +1,41 @@ +{{/* +################################################################################ +# Copyright (c) 2021 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ include "common.release" . }}" + heritage: "{{ .Release.Service }}" + {{- if .Values.persistence.annotations }} + annotations: +{{ .Values.persistence.annotations | indent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.persistence.size }} + storageClassName: {{ include "common.fullname" . }}-data +{{- end -}} diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 41a93ee014..08590d891c 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -122,10 +122,10 @@ resources: small: limits: cpu: 2 - memory: 4Gi + memory: 300Mi requests: cpu: 1 - memory: 2Gi + memory: 150Mi large: limits: cpu: 4 @@ -134,3 +134,28 @@ resources: cpu: 2 memory: 4Gi unlimited: {} + +## Persist data to a persistent volume +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 2Gi + mountPath: /dockerdata-nfs + mountSubPath: nonrtric/policymanagementservice + + diff --git a/kubernetes/aaf/components/aaf-cass/values.yaml b/kubernetes/aaf/components/aaf-cass/values.yaml index 525674434e..a1a1abe55a 100644 --- a/kubernetes/aaf/components/aaf-cass/values.yaml +++ b/kubernetes/aaf/components/aaf-cass/values.yaml @@ -93,4 +93,4 @@ persistence: mountSubPath: "cass" volumeReclaimPolicy: Retain accessMode: ReadWriteOnce - size: 20Gi + size: 5Gi diff --git a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties index 4f480cb5d7..774e8bd5ca 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties @@ -3,10 +3,10 @@ spring.autoconfigure.exclude=\ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -multi.tenancy.enabled=true +multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth -keycloak.realm=aai-resources -keycloak.resource=aai-resources-app +keycloak.realm={{ .Values.config.keycloak.realm }} +keycloak.resource={{ .Values.config.keycloak.resource }} keycloak.public-client=true keycloak.principal-attribute=preferred_username diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index b84139161e..f30b067b2e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -49,7 +49,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth + active: production,dmaap,aaf-auth #,keycloak # Notification event specific properties notification: @@ -164,9 +164,19 @@ replicaCount: 1 # Configuration for the resources deployment config: + # configure keycloak according to your environment. + # don't forget to add keycloak in active profiles above (global.config.profiles) keycloak: - host: localhost + host: keycloak.your.domain port: 8180 + # Specifies a set of users, credentials, roles, and groups + realm: aai-resources + # Used by any client application for enabling fine-grained authorization for their protected resources + resource: aai-resources-app + # If set to true, additional criteria will be added that match the data-owner property with the given role + # to the user in keycloak + multiTenancy: + enabled: true # Specifies crud related operation timeouts and overrides crud: diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties new file mode 100644 index 0000000000..dd1956b63f --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties @@ -0,0 +1,13 @@ +spring.autoconfigure.exclude=\ + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + +multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} +keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth +keycloak.realm={{ .Values.config.keycloak.realm }} +keycloak.resource={{ .Values.config.keycloak.resource }} +keycloak.public-client=false +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +keycloak.bearer-only=true diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index c0bcb3b491..8f1bd2ddc8 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -32,6 +32,7 @@ data: {{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} --- apiVersion: v1 diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 7e54f1d432..dc1c010261 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -188,6 +188,9 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties + - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties + name: {{ include "common.fullname" . }}-config + subPath: application-keycloak.properties ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 38011a0c98..ad4279a543 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -59,7 +59,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth + active: production,dmaap,aaf-auth #,keycloak # Notification event specific properties notification: @@ -168,6 +168,20 @@ aai_enpoints: # application configuration config: + # configure keycloak according to your environment. + # don't forget to add keycloak in active profiles above (global.config.profiles) + keycloak: + host: keycloak.your.domain + port: 8180 + # Specifies a set of users, credentials, roles, and groups + realm: aai-traversal + # Used by any client application for enabling fine-grained authorization for their protected resources + resource: aai-traversal-app + # If set to true, additional criteria will be added into traversal query to returns all the vertices that match + # the data-owner property with the given role to the user in keycloak + multiTenancy: + enabled: true + # Specifies timeout information such as application specific and limits timeout: # If set to true application will timeout for queries taking longer than limit diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml index 3b1ff47116..5765d3482d 100644 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ b/kubernetes/appc/components/appc-cdt/values.yaml @@ -38,27 +38,17 @@ certInitializer: cadi_longitude: "-72.0" credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving password for keystore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - cd {{ .Values.credsPath }}; - mkdir -p certs; - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - fi + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key file" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/key.pem + echo "*** change ownership of certificates to targeted user" + chown -R 1000 {{ .Values.credsPath }} ################################################################# # Application configuration defaults. diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh index 6e35ca894c..f2675b0404 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh @@ -18,7 +18,7 @@ waiting_bundles=$(/opt/opendaylight/current/bin/client bundle:list | grep Waiting | wc -l) run_level=$(/opt/opendaylight/current/bin/client system:start-level) - if [ "$run_level" == "Level 100" ] && [ "$waiting_bundles" -lt "1" ] + if [ "$run_level" = "Level 100" ] && [ "$waiting_bundles" -lt "1" ] then echo APPC is healthy. else diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index c78daee558..85f5aac246 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -65,7 +65,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 do printf "." sleep 1 @@ -83,7 +83,7 @@ then show databases like 'sdnctl'; END ) - if [ "x${sdnc_db_exists}" == "x" ] + if [ "x${sdnc_db_exists}" = "x" ] then echo "Installing SDNC database" ${SDNC_HOME}/bin/installSdncDb.sh @@ -92,7 +92,7 @@ END show databases like 'appcctl'; END ) - if [ "x${appc_db_exists}" == "x" ] + if [ "x${appc_db_exists}" = "x" ] then echo "Installing APPC database" ${APPC_HOME}/bin/installAppcDb.sh diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index cc56bb4859..83d00a7545 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -129,6 +129,7 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *appc-db + replicaCount: 1 dgbuilder: nameOverride: appc-dgbuilder diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index 9645b20cd2..c2e034204c 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -123,6 +123,16 @@ spec: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} - containerPort: {{ .Values.service.cluster.internalPort }} + startupProbe: + httpGet: + path: /api/v1/execution-service/health-check + port: {{ .Values.service.http.internalPort }} + httpHeaders: + - name: Authorization + value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 266032844d..fe60b8023c 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -51,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.1.2 +image: onap/ccsdk-blueprintsprocessor:1.1.4 pullPolicy: Always # flag to enable debugging - application support required @@ -77,7 +77,7 @@ config: # dbRootPassExternalSecret # default number of instances -replicaCount: 3 +replicaCount: 1 nodeSelector: {} @@ -89,8 +89,13 @@ dmaapEnabled: true # probe configuration parameters +startup: + initialDelaySeconds: 10 + failureThreshold: 30 + periodSeconds: 10 + liveness: - initialDelaySeconds: 120 + initialDelaySeconds: 0 periodSeconds: 20 timeoutSeconds: 20 # necessary to disable liveness probe when setting breakpoints @@ -129,7 +134,7 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 - enabled: true + enabled: false clusterName: cds-cluster diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index bed223ebcd..f867565915 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -32,7 +32,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-commandexecutor:1.1.2 +image: onap/ccsdk-commandexecutor:1.1.4 pullPolicy: Always # application configuration diff --git a/kubernetes/cds/components/cds-py-executor/values.yaml b/kubernetes/cds/components/cds-py-executor/values.yaml index dfc7e59dda..af042c1605 100755 --- a/kubernetes/cds/components/cds-py-executor/values.yaml +++ b/kubernetes/cds/components/cds-py-executor/values.yaml @@ -30,7 +30,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-py-executor:1.1.2 +image: onap/ccsdk-py-executor:1.1.4 pullPolicy: Always # default number of instances diff --git a/kubernetes/cds/components/cds-sdc-listener/values.yaml b/kubernetes/cds/components/cds-sdc-listener/values.yaml index f6f45b7ad8..e46539fb35 100644 --- a/kubernetes/cds/components/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/values.yaml @@ -29,7 +29,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-sdclistener:1.1.2 +image: onap/ccsdk-sdclistener:1.1.4 name: sdc-listener pullPolicy: Always diff --git a/kubernetes/cds/components/cds-ui/values.yaml b/kubernetes/cds/components/cds-ui/values.yaml index 8120679803..697602f209 100644 --- a/kubernetes/cds/components/cds-ui/values.yaml +++ b/kubernetes/cds/components/cds-ui/values.yaml @@ -44,7 +44,7 @@ certInitializer: {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop # application image -image: onap/ccsdk-cds-ui-server:1.1.2 +image: onap/ccsdk-cds-ui-server:1.1.4 pullPolicy: Always # application configuration diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 5510b3a3a0..edac066f6f 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -84,6 +84,126 @@ mariadb-galera: serviceAccount: nameOverride: *dbServer + mariadbConfiguration: |- + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + plugin_dir=/opt/bitnami/mariadb/plugin + + [mysqld] + lower_case_table_names = 1 + default_storage_engine=InnoDB + basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data + plugin_dir=/opt/bitnami/mariadb/plugin + tmpdir=/opt/bitnami/mariadb/tmp + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid + bind_address=0.0.0.0 + + ## Character set + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Binary Logging + log_bin=mysql-bin + expire_logs_days=14 + # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql + sync_binlog=0 + # Required for Galera + binlog_format=row + + ## Caches and Limits + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + + ## Logging + log_error=/opt/bitnami/mariadb/logs/mysqld.log + slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log + log_queries_not_using_indexes=1 + slow_query_log=1 + + ## SSL + ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem + # ssl_ca=/certs/ca.pem + # ssl_cert=/certs/server-cert.pem + # ssl_key=/certs/server-key.pem + + [galera] + wsrep_on=ON + wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so + wsrep_sst_method=mariabackup + wsrep_slave_threads=4 + wsrep_cluster_address=gcomm:// + wsrep_cluster_name=galera + wsrep_sst_auth="root:" + # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit + innodb_flush_log_at_trx_commit=2 + # MYISAM REPLICATION SUPPORT # + wsrep_replicate_myisam=ON + + [mariadb] + plugin_load_add=auth_pam + + ## Data-at-Rest Encryption + ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem + # plugin_load_add=file_key_management + # file_key_management_filename=/encryption/keyfile.enc + # file_key_management_filekey=FILE:/encryption/keyfile.key + # file_key_management_encryption_algorithm=AES_CTR + # encrypt_binlog=ON + # encrypt_tmp_files=ON + + ## InnoDB/XtraDB Encryption + # innodb_encrypt_tables=ON + # innodb_encrypt_temporary_tables=ON + # innodb_encrypt_log=ON + # innodb_encryption_threads=4 + # innodb_encryption_rotate_key_age=1 + + ## Aria Encryption + # aria_encrypt_tables=ON + # encrypt_tmp_disk_tables=ON + cds-blueprints-processor: enabled: true config: diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index b56c0fac70..a8105345f7 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -75,7 +75,7 @@ esac done # Validate inputs -if [ "$base_db_dir" == "" ] || [ "$ss_dir" == "" ] || [ "$keyspace_name" == "" ] +if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then echo "" echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 953c89d24d..3553cd4069 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -71,6 +71,17 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + exec: + command: + - /bin/bash + - -c + - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} env: {{- $seed_size := default 1 .Values.replicaCount | int -}} {{- $global := . }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index c3d22cedc0..9f19bf5c14 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -54,8 +54,8 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -64,12 +64,19 @@ liveness: enabled: true readiness: - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 1 + periodSeconds: 10 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 +startup: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 90 + service: name: cassandra headless: @@ -119,7 +126,7 @@ persistence: ## storageClass: "-" ## Not set as it depends of the backup enabledment or not. accessMode: ReadWriteOnce - size: 2Gi + size: 10Gi mountPath: /dockerdata-nfs mountSubPath: cassandra storageType: local diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index b5a1d57649..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -17,6 +17,7 @@ */}} CERTS_DIR=${CERTS_DIR:-/certs} +MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} @@ -28,18 +29,18 @@ mkdir -p $WORK_DIR for f in $CERTS_DIR/*; do export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} == ".sh" ]; then + if [ ${f: -3} = ".sh" ]; then continue fi - if [ ${f: -4} == ".b64" ] + if [ ${f: -4} = ".b64" ] then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -47,8 +48,15 @@ for f in $CERTS_DIR/*; do fi done +for f in $MORE_CERTS_DIR/*; do + if [ ${f: -4} == ".pem" ] + then + cp $f $WORK_DIR/. + fi +done + # Prepare truststore output file -if [ "$AAF_ENABLED" == "true" ] +if [ "$AAF_ENABLED" = "true" ] then echo "AAF is enabled, use 'AAF' truststore" export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} @@ -59,7 +67,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} == ".pem" ]; then + if [ ${f: -4} = ".pem" ]; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh new file mode 100644 index 0000000000..9cc5ec580e --- /dev/null +++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/ -}} + +echo "*** retrieving certificates and keys" +export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) +export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) +export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) +echo "*** creating tls secret" +cat < -if [ "${DEBUG}" == "true" ]; then - if [ "${DEBUG_PORT}" == "" ]; then +if [ "${DEBUG}" = "true" ]; then + if [ "${DEBUG_PORT}" = "" ]; then DEBUG_PORT=8000 fi echo "Debug mode on" diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 25cab910a9..f578949196 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -164,5 +164,4 @@ certInitializer: credsPath: /opt/app/osaaf/local appMountPath: /opt/app/aafcertman aaf_add_config: > - cd {{ .Values.credsPath }}; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; + echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index a6b434f43a..91f21ab0c9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -86,6 +87,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.dcaepolicysync" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 386ba9b490..8a68f6dd9c 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2020 Orange -# Copyright © 2021 Nokia +# Copyright © 2021 Nokia, AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ global: nginxImage: bitnami/nginx:1.18-debian-10 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 + dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -65,3 +66,4 @@ imageRepoMapping: nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository + dcaePolicySyncImage: repository diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh index 657b5f9448..1a75bd7a85 100755 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh @@ -86,9 +86,9 @@ deploy() { target_machine_notice_info } -if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then +if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then usage -elif [[ $# -eq 1 ]] && [[ $1 == "--info" ]]; then +elif [[ $# -eq 1 ]] && [[ $1 = "--info" ]]; then target_machine_notice_info else deploy $@ diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh index 6e412a3688..44fe79a0c6 100755 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh @@ -76,7 +76,7 @@ manual_configuration() { generate_config_map $@ } -if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then +if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then usage elif [[ $# -eq 0 ]]; then automatic_configuration diff --git a/kubernetes/contrib/tools/check-for-staging-images.sh b/kubernetes/contrib/tools/check-for-staging-images.sh index ce51b30b58..8c01312fa2 100755 --- a/kubernetes/contrib/tools/check-for-staging-images.sh +++ b/kubernetes/contrib/tools/check-for-staging-images.sh @@ -16,7 +16,7 @@ BASE_URL="https://nexus3.onap.org/repository/docker.release" -if [ "$GERRIT_BRANCH" == "staging" ]; then +if [ "$GERRIT_BRANCH" = "staging" ]; then exit 0 fi diff --git a/kubernetes/contrib/tools/rke/rke_setup.sh b/kubernetes/contrib/tools/rke/rke_setup.sh index cde7d4caa0..7950e0cc88 100755 --- a/kubernetes/contrib/tools/rke/rke_setup.sh +++ b/kubernetes/contrib/tools/rke/rke_setup.sh @@ -258,14 +258,14 @@ EOF helm init --service-account tiller kubectl -n kube-system rollout status deploy/tiller-deploy echo "upgrade server side of helm in kubernetes" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm version else sudo helm version fi echo "sleep 30" sleep 30 - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm init --upgrade else sudo helm init --upgrade @@ -273,13 +273,13 @@ EOF echo "sleep 30" sleep 30 echo "verify both versions are the same below" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm version else sudo helm version fi echo "start helm server" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm serve & else sudo helm serve & @@ -287,7 +287,7 @@ EOF echo "sleep 30" sleep 30 echo "add local helm repo" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm repo add local http://127.0.0.1:8879 helm repo list else diff --git a/kubernetes/cps/resources/config/application.yml b/kubernetes/cps/resources/config/application-helm.yml similarity index 89% rename from kubernetes/cps/resources/config/application.yml rename to kubernetes/cps/resources/config/application-helm.yml index d85d341081..5f19007231 100755 --- a/kubernetes/cps/resources/config/application.yml +++ b/kubernetes/cps/resources/config/application-helm.yml @@ -50,7 +50,7 @@ spring: liquibase: change-log: classpath:changelog/changelog-master.yaml - labels: ${LIQUIBASE_LABELS} + labels: {{ .Values.config.liquibaseLabels }} security: # comma-separated uri patterns which do not require authorization @@ -79,3 +79,9 @@ logging: level: org: springframework: {{ .Values.logging.level }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} + +# Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/templates/deployment.yaml b/kubernetes/cps/templates/deployment.yaml index 861782a0b9..61877c38a0 100755 --- a/kubernetes/cps/templates/deployment.yaml +++ b/kubernetes/cps/templates/deployment.yaml @@ -74,6 +74,9 @@ spec: path: {{ .Values.readiness.path }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.config.spring.profile }} resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -82,8 +85,8 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 12 }} {{- end }} volumeMounts: - - mountPath: /app/resources/application.yml - subPath: application.yml + - mountPath: /app/resources/application-helm.yml + subPath: application-helm.yml name: init-data - mountPath: /app/resources/logback.xml subPath: logback.xml diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index ea4639f315..2312a4994d 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -127,8 +127,16 @@ config: # REST API basic authentication credentials (passsword is generated if not provided) appUserName: cpsuser + spring: + profile: helm #appUserPassword: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format insead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + logging: level: INFO path: /tmp diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index c03be83264..db58726893 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +18,56 @@ # ============LICENSE_END========================================================= */}} {{/* +For internal use only! + +dcaegen2-services-common._ms-specific-env-vars: +This template generates a list of microservice-specific environment variables +as specified in .Values.applicationEnv. The +dcaegen2-services-common.microServiceDeployment uses this template +to add the microservice-specific environment variables to the microservice's container. +These environment variables are in addition to a standard set of environment variables +provided to all microservices. + +The template expects a single argument, pointing to the caller's global context. + +Microservice-specific environment variables can be specified in two ways: + 1. As literal string values. + 2. As values that are sourced from a secret, identified by the secret's + uid and the key within the secret that provides the value. + +The following example shows an example of each type. The example assumes +that a secret has been created using the OOM common secret mechanism, with +a secret uid "example-secret" and a key called "password". + +applicationEnv: + APPLICATION_PASSWORD: + secretUid: example-secret + key: password + APPLICATION_EXAMPLE: "An example value" + +The example would set two environment variables on the microservice's container, +one called "APPLICATION_PASSWORD" with the value set from the "password" key in +the secret with uid "example-secret", and one called "APPLICATION_EXAMPLE" set to +the the literal string "An example value". +*/}} +{{- define "dcaegen2-services-common._ms-specific-env-vars" -}} + {{- $global := . }} + {{- if .Values.applicationEnv }} + {{- range $envName, $envValue := .Values.applicationEnv }} + {{- if kindIs "string" $envValue }} +- name: {{ $envName }} + value: {{ $envValue | quote }} + {{- else }} + {{ if or (not $envValue.secretUid) (not $envValue.key) }} + {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} + {{- end }} +- name: {{ $envName }} + {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }} + {{- end -}} + {{- end }} + {{- end }} +{{- end -}} +{{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -63,12 +114,21 @@ certificate information will include a server cert and key, in various formats. It will also include the AAF CA cert. If the microservice is a TLS client only (indicated by setting .Values.tlsServer to false), the certificate information includes only the AAF CA cert. + +Deployed POD may also include a Policy-sync sidecar container. +The sidecar is included if .Values.policies is set. The +Policy-sync sidecar polls PolicyEngine (PDP) periodically based +on .Values.policies.duration and configuration retrieved is shared with +DCAE Microservice container by common volume. Policy can be retrieved based on +list of policyID or filter */}} {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $logDir := default "" .Values.logDirectory -}} {{- $certDir := default "" .Values.certDirectory . -}} {{- $tlsServer := default "" .Values.tlsServer -}} +{{- $policy := default "" .Values.policies -}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -130,6 +190,7 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -137,7 +198,7 @@ spec: env: {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -150,12 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP - {{- if .Values.applicationEnv }} - {{- range $envName, $envValue := .Values.applicationEnv }} - - name: {{ $envName }} - value: {{ $envValue | quote }} - {{- end }} - {{- end }} + {{- include "dcaegen2-services-common._ms-specific-env-vars" . | nindent 8 }} {{- if .Values.service }} ports: {{ include "common.containerPorts" . | nindent 10 }} {{- end }} @@ -180,8 +236,9 @@ spec: {{- end }} {{- end }} resources: {{ include "common.resources" . | nindent 2 }} - {{- if or $logDir $certDir }} volumeMounts: + - mountPath: /app-config + name: app-config {{- if $logDir }} - mountPath: {{ $logDir}} name: component-log @@ -189,7 +246,13 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} {{- end }} + {{- if $policy }} + - name: policy-shared + mountPath: /etc/policies {{- end }} {{- if $logDir }} - image: {{ include "repositoryGenerator.image.logging" . }} @@ -211,6 +274,53 @@ spec: name: filebeat-conf subPath: filebeat.yml {{- end }} + {{- if $policy }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: policy-sync + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POLICY_SYNC_PDP_USER + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: login + - name: POLICY_SYNC_PDP_PASS + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: password + - name: POLICY_SYNC_PDP_URL + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + - name: POLICY_SYNC_OUTFILE + value : "/etc/policies/policies.json" + - name: POLICY_SYNC_V1_DECISION_ENDPOINT + value : "policy/pdpx/v1/decision" + {{- if $policy.filter }} + - name: POLICY_SYNC_FILTER + value: {{ $policy.filter }} + {{- end -}} + {{- if $policy.policyID }} + - name: POLICY_SYNC_ID + value: {{ $policy.policyID }} + {{- end -}} + {{- if $policy.duration }} + - name: POLICY_SYNC_DURATION + value: {{ $policy.duration }} + {{- end }} + resources: {{ include "common.resources" . | nindent 2 }} + volumeMounts: + - mountPath: /etc/policies + name: policy-shared + {{- if $certDir }} + - mountPath: /opt/ca-certificates/ + name: tls-info + {{- end }} + {{- end }} hostname: {{ include "common.name" . }} volumes: - configMap: @@ -233,7 +343,60 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} + {{- end }} + {{- if $policy }} + - name: policy-shared + emptyDir: {} {{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "ca.crt" -}} + {{- $truststoresPasswordPaths := "" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "tls.crt" $cmpv2CertificateDir "tls.key" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml index cd69da8346..cbd07dc486 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml @@ -15,4 +15,4 @@ # limitations under the License. # ============LICENSE_END========================================================= # dcaegen2-services-common templates get any values from the scope -# they are passed. There are no locally-defined values. \ No newline at end of file +# they are passed. There are no locally-defined values. diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index cec332218d..502e3a89dc 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -62,6 +64,22 @@ secrets: password: '{{ .Values.aafCreds.password }}' passwordPolicy: required +# CMPv2 certificate +certificates: + - mountPath: /etc/ves-hv/ssl/external + commonName: dcae-hv-ves-collector + dnsNames: + - dcae-hv-ves-collector + - hv-ves-collector + - hv-ves + keystore: + outputType: + - jks + passwordSecretRef: + name: hv-ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index da6dc8f1fc..89cf13447a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +36,7 @@ filebeatConfig: tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 + ################################################################# # Application configuration defaults. ################################################################# @@ -84,6 +86,17 @@ service: - port: 9091 name: http +# Policy configuraiton properties +# if present, policy-sync side car will be deployed + +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#policies: +# duration: 300 +# policyID: | +# '["onap.vfirewall.tca","abc"]' +# filter: | +# '["DCAE.Config_vfirewall_.*"]' + aaiCreds: user: DCAE password: DCAE diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 62c640453b..263715650e 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -55,6 +57,22 @@ certDirectory: /opt/app/dcae-certificate # and key from AAF and mount them in certDirectory. tlsServer: true +# CMPv2 certificate +certificates: + - mountPath: /opt/app/dcae-certificate/external + commonName: dcae-ves-collector + dnsNames: + - dcae-ves-collector + - ves-collector + - ves + keystore: + outputType: + - jks + passwordSecretRef: + name: ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json index 6018abe309..3c769fca5f 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json @@ -44,14 +44,18 @@ "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}", "request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}", "timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}", - "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}", - "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}", - "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}", - "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}", - "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}", - "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}", - "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}", - "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}" + "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}", + "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}", + "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}", + "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}", + "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}", + "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}", + "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}", + "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}", + "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}", + "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}", + "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}", + "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}" }, "cert_post_processor": { "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}" diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 1135c053d9..fcc8f6d4b0 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -55,7 +55,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2 +image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index e92e415414..51fcd08c4a 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -53,7 +53,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.0 +image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.2 pullPolicy: Always # probe configuration parameters @@ -66,8 +66,8 @@ liveness: enabled: false readiness: - initialDelaySeconds: 30 - periodSeconds: 30 + initialDelaySeconds: 300 + periodSeconds: 90 path: /ccsdk-app/health scheme: HTTPS @@ -103,11 +103,11 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 + cpu: 0.6 memory: 1Gi + requests: + cpu: 0.4 + memory: 600Mib large: limits: cpu: 4 diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 3bcb404032..44e8e56aa5 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -2,7 +2,7 @@ usage() { cat << EOF -Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases +Install (or upgrade) an umbrella Helm Chart, and its subcharts, as separate Helm Releases The umbrella Helm Chart is broken apart into a parent release and subchart releases. Subcharts the are disabled (.enabled=false) will not be installed or upgraded. @@ -49,12 +49,12 @@ generate_overrides() { for index in "${!SUBCHART_NAMES[@]}"; do START=${SUBCHART_NAMES[index]} END=${SUBCHART_NAMES[index+1]} - if [[ $START == "global:" ]]; then + if [[ $START = "global:" ]]; then echo "global:" > $GLOBAL_OVERRIDES cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES else - SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")" + SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [[ -d "$SUBCHART_DIR" ]]; then if [[ -z "$END" ]]; then cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ @@ -72,11 +72,11 @@ resolve_deploy_flags() { n=${#flags[*]} for (( i = 0; i < n; i++ )); do PARAM=${flags[i]} - if [[ $PARAM == "-f" || \ - $PARAM == "--values" || \ - $PARAM == "--set" || \ - $PARAM == "--set-string" || \ - $PARAM == "--version" ]]; then + if [[ $PARAM = "-f" || \ + $PARAM = "--values" || \ + $PARAM = "--set" || \ + $PARAM = "--set-string" || \ + $PARAM = "--version" ]]; then # skip param and its value i=$((i + 1)) else @@ -96,9 +96,9 @@ deploy() { RELEASE=$1 CHART_URL=$2 FLAGS=${@:3} - CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")" - CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")" - if [[ $HELM_VER == "v3."* ]]; then + CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)" + CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)" + if [[ $HELM_VER = "v3."* ]]; then CACHE_DIR=~/.local/share/helm/plugins/deploy/cache else CACHE_DIR=~/.helm/plugins/deploy/cache @@ -146,10 +146,10 @@ deploy() { DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS") # determine if upgrading individual subchart or entire parent + subcharts - SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")" + SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)" # update specified subchart without parent - RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")" - if [[ $SUBCHART_RELEASE == $RELEASE ]]; then + RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)" + if [[ $SUBCHART_RELEASE = $RELEASE ]]; then SUBCHART_RELEASE= fi @@ -201,13 +201,13 @@ deploy() { helm upgrade -i $RELEASE $CHART_DIR $DEPLOY_FLAGS -f $COMPUTED_OVERRIDES \ > $LOG_FILE.log 2>&1 - if [[ $VERBOSE == "true" ]]; then + if [[ $VERBOSE = "true" ]]; then cat $LOG_FILE else echo "release \"$RELEASE\" deployed" fi # Add annotation last-applied-configuration if set-last-applied flag is set - if [[ $SET_LAST_APPLIED == "true" ]]; then + if [[ $SET_LAST_APPLIED = "true" ]]; then helm get manifest ${RELEASE} \ | kubectl apply set-last-applied --create-annotation -n onap -f - \ > $LOG_FILE.log 2>&1 @@ -228,7 +228,7 @@ deploy() { fi if [[ $SUBCHART_ENABLED -eq 1 ]]; then - if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE == "$subchart" ]]; then + if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE = "$subchart" ]]; then LOG_FILE=$LOG_DIR/"${RELEASE}-${subchart}".log :> $LOG_FILE @@ -236,19 +236,19 @@ deploy() { $DEPLOY_FLAGS -f $GLOBAL_OVERRIDES -f $SUBCHART_OVERRIDES \ > $LOG_FILE 2>&1 - if [[ $VERBOSE == "true" ]]; then + if [[ $VERBOSE = "true" ]]; then cat $LOG_FILE else echo "release \"${RELEASE}-${subchart}\" deployed" fi # Add annotation last-applied-configuration if set-last-applied flag is set - if [[ $SET_LAST_APPLIED == "true" ]]; then + if [[ $SET_LAST_APPLIED = "true" ]]; then helm get manifest "${RELEASE}-${subchart}" \ | kubectl apply set-last-applied --create-annotation -n onap -f - \ > $LOG_FILE.log 2>&1 fi fi - if [[ $DELAY == "true" ]]; then + if [[ $DELAY = "true" ]]; then echo sleep 3m sleep 3m fi @@ -256,8 +256,8 @@ deploy() { array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}")) n=${#array[*]} for (( i = n-1; i >= 0; i-- )); do - if [[ $HELM_VER == "v3."* ]]; then - helm del "${array[i]}" + if [[ $HELM_VER = "v3."* ]]; then + helm del "${array[i]}" else helm del "${array[i]}" --purge fi @@ -266,7 +266,7 @@ deploy() { done # report on success/failures of installs/upgrades - if [[ $HELM_VER == "v3."* ]]; then + if [[ $HELM_VER = "v3."* ]]; then helm ls --all-namespaces | grep -i FAILED | grep $RELEASE else helm ls | grep FAILED | grep $RELEASE diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh index 8191174314..e5c0c12711 100755 --- a/kubernetes/helm/plugins/undeploy/undeploy.sh +++ b/kubernetes/helm/plugins/undeploy/undeploy.sh @@ -2,7 +2,7 @@ usage() { cat << EOF -Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'. +Delete an umbrella Helm Chart, and its subcharts, that was previously deployed using 'Helm deploy'. Example of deleting all Releases that have the prefix 'demo'. $ helm undeploy demo diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index ff158b592c..3629eb43ec 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -35,27 +35,18 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving passwords for certificates" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - fi + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key ################################################################# # Application configuration defaults. diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index 51e78e1de3..b95a11914d 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -35,27 +35,18 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving passwords for certificates" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - fi + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key ################################################################# # Application configuration defaults. diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index b008acf6f3..ca9ccd48f4 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -196,28 +196,25 @@ global: cmpv2Enabled: true CMPv2CertManagerIntegration: false platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-certificates-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-certificates-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" - # Client configuration related caName: "RA" + # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" # Indicates offline deployment build # Set to true if you are rendering helm charts for offline deployment diff --git a/kubernetes/oof/components/oof-cmso/components/oof-cmso-optimizer/values.yaml b/kubernetes/oof/components/oof-cmso/components/oof-cmso-optimizer/values.yaml index b16dc9f67b..c9de6546c2 100644 --- a/kubernetes/oof/components/oof-cmso/components/oof-cmso-optimizer/values.yaml +++ b/kubernetes/oof/components/oof-cmso/components/oof-cmso-optimizer/values.yaml @@ -24,12 +24,12 @@ subChartsOnly: enabled: true # application image -image: onap/optf-cmso-optimizer:2.3.3 +image: onap/optf-cmso-optimizer:2.3.4 pullPolicy: Always #init container image dbinit: - image: onap/optf-cmso-dbinit:2.3.3 + image: onap/optf-cmso-dbinit:2.3.4 # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/templates/deployment.yaml b/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/templates/deployment.yaml index 4a02a64a56..3fd0112928 100644 --- a/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/templates/deployment.yaml @@ -107,16 +107,6 @@ spec: - mountPath: /usr/share/filebeat/data name: {{ include "common.fullname" . }}-filebeat resources: -{{ include "common.resources" . }} - - name: mso-simulator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.robotimage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: /share/etc/config - ports: - - containerPort: 5000 - resources: {{ include "common.resources" . }} - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} diff --git a/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/values.yaml b/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/values.yaml index 1cb63036d9..105163e95c 100644 --- a/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/values.yaml +++ b/kubernetes/oof/components/oof-cmso/components/oof-cmso-service/values.yaml @@ -23,13 +23,12 @@ subChartsOnly: enabled: true # application image -image: onap/optf-cmso-service:2.3.3 -robotimage: onap/optf-cmso-robot:2.3.3 +image: onap/optf-cmso-service:2.3.4 pullPolicy: Always #init container image dbinit: - image: onap/optf-cmso-dbinit:2.3.3 + image: onap/optf-cmso-dbinit:2.3.4 # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/oof/components/oof-cmso/components/oof-cmso-ticketmgt/values.yaml b/kubernetes/oof/components/oof-cmso/components/oof-cmso-ticketmgt/values.yaml index 6e312aa0cb..7ef7ace48b 100644 --- a/kubernetes/oof/components/oof-cmso/components/oof-cmso-ticketmgt/values.yaml +++ b/kubernetes/oof/components/oof-cmso/components/oof-cmso-ticketmgt/values.yaml @@ -23,7 +23,7 @@ subChartsOnly: enabled: true # application image -image: onap/optf-cmso-ticketmgt:2.3.3 +image: onap/optf-cmso-ticketmgt:2.3.4 pullPolicy: Always diff --git a/kubernetes/oof/components/oof-cmso/components/oof-cmso-topology/values.yaml b/kubernetes/oof/components/oof-cmso/components/oof-cmso-topology/values.yaml index 217db26612..40eed4e568 100644 --- a/kubernetes/oof/components/oof-cmso/components/oof-cmso-topology/values.yaml +++ b/kubernetes/oof/components/oof-cmso/components/oof-cmso-topology/values.yaml @@ -22,7 +22,7 @@ subChartsOnly: enabled: true # application image -image: onap/optf-cmso-topology:2.3.3 +image: onap/optf-cmso-topology:2.3.4 pullPolicy: Always diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 0614819930..c34ebad982 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,10 +73,10 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: cmpv2-issuer-secret - certRef: certServiceServer-cert.pem - keyRef: certServiceServer-key.pem - cacertRef: truststore.pem + name: oom-cert-service-server-tls-secret + certRef: tls.crt + keyRef: tls.key + cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile deleted file mode 100644 index ea0cb8aae4..0000000000 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ /dev/null @@ -1,183 +0,0 @@ -CERTS_DIR = resources -CURRENT_DIR := ${CURDIR} -DOCKER_CONTAINER = generate-certs -DOCKER_EXEC = docker exec ${DOCKER_CONTAINER} - -all: start_docker \ - clear_all \ - root_generate_keys \ - root_create_certificate \ - root_self_sign_certificate \ - client_generate_keys \ - client_generate_csr \ - client_sign_certificate_by_root \ - client_import_root_certificate \ - client_convert_certificate_to_jks \ - server_generate_keys \ - server_generate_csr \ - server_sign_certificate_by_root \ - server_import_root_certificate \ - server_convert_certificate_to_jks \ - server_convert_certificate_to_p12 \ - convert_truststore_to_p12 \ - convert_truststore_to_pem \ - server_export_certificate_to_pem \ - server_export_key_to_pem \ - clear_unused_files \ - stop_docker - -.PHONY: all - -# Starts docker container for generating certificates - deletes first, if already running -start_docker: - @make stop_docker - $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2)) - $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2)) - $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) - $(eval USERNAME :=$(shell id -u)) - $(eval GROUP :=$(shell id -g)) - docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE) - -# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted -stop_docker: - docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true - -#Clear all files related to certificates -clear_all: - @make clear_existing_certificates - @make clear_unused_files - -#Clear certificates -clear_existing_certificates: - @echo "Clear certificates" - ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem - @echo "#####done#####" - -#Generate root private and public keys -root_generate_keys: - @echo "Generate root private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -root_create_certificate: - @echo "(Export public key as certificate)" - ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -root_self_sign_certificate: - @echo "(Self-signed root (import root certificate into truststore))" - ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -client_generate_keys: - @echo "Generate certService's client private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -client_generate_csr: - @echo "Generate certificate signing request for certService's client" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -client_sign_certificate_by_root: - @echo "Sign certService's client certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -client_import_root_certificate: - @echo "Import root certificate into intermediate" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService's client -client_convert_certificate_to_jks: - @echo "Import signed certificate into certService's client" - ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -server_generate_keys: - @echo "Generate certService private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -server_generate_csr: - @echo "Generate certificate signing request for certService" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -server_sign_certificate_by_root: - @echo "Sign certService certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -server_import_root_certificate: - @echo "Import root certificate into intermediate(server)" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService -server_convert_certificate_to_jks: - @echo "Import signed certificate into certService" - ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -server_convert_certificate_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ - -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.jks) to PCKS12 format(.p12) -convert_truststore_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ - -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.p12) to PEM format(.pem) -convert_truststore_to_pem: - @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret - @echo "#####done#####" - -#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_certificate_to_pem: - @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem - @echo "#####done#####" - -#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_key_to_pem: - @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem - @echo "#####done#####" - - -#Clear unused certificates -clear_unused_files: - @echo "Clear unused certificates" - ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12 - @echo "#####done#####" diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml index e89dc58027..6177278552 100644 --- a/kubernetes/platform/components/oom-cert-service/requirements.yaml +++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml @@ -19,3 +19,9 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml new file mode 100644 index 0000000000..fd317703e3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2020-2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "certManagerCertificate.certificate" . }} diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index c4d7440b20..9a6abd4eb9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -93,9 +93,9 @@ spec: - name: ROOT_CERT value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} livenessProbe: exec: command: diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml new file mode 100644 index 0000000000..9047ab73d3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © 2021, Nokia + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.selfsigning.name }} + namespace: {{ include "common.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ca.name }} + namespace: {{ include "common.namespace" . }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml index 2d47e6f57c..5401801af5 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml @@ -28,42 +28,5 @@ data: {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }} {{ end }} --- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }} -type: Opaque -data: - certServiceClient-keystore.jks: - {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.server.secret.name }} -type: Opaque -data: - certServiceServer-keystore.jks: - {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} - certServiceServer-keystore.p12: - {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} - root.crt: - {{ (.Files.Glob "resources/root.crt").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.provider.secret.name }} -type: Opaque -data: - certServiceServer-key.pem: - {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }} - certServiceServer-cert.pem: - {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }} - truststore.pem: - {{ (.Files.Glob "resources/truststore.pem").AsSecrets }} + {{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 537b025fb0..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -79,38 +79,40 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret - provider: - secret: - name: cmpv2-issuer-secret envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 - pemName: certServiceServer-keystore.pem + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt - pemName: truststore.pem + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -126,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -155,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 22edcff601..aa1daf703f 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -80,9 +80,6 @@ certInitializer: uid: 101 gid: 102 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 0b2ea9f20c..da983e5b5b 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -69,9 +69,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -146,4 +143,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh index 329479fad2..ad9984c26c 100755 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh +++ b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh @@ -16,4 +16,4 @@ # limitations under the License. */}} -mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql +mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml index 50ec8fafea..ef0ea7ae4e 100644 --- a/kubernetes/policy/components/policy-clamp-be/values.yaml +++ b/kubernetes/policy/components/policy-clamp-be/values.yaml @@ -44,11 +44,10 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd; - grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd; + echo "$cadi_truststore_password" > {{ .Values.credsPath }}/cadi_truststore_password.pwd; + echo "$cadi_key_password" > {{ .Values.credsPath }}/cadi_key_password.pwd; + echo "$cadi_keystore_password" > {{ .Values.credsPath }}/cadi_keystore_password.pwd; + echo "$cadi_keystore_password_p12" > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd; cd {{ .Values.credsPath }}; chmod a+rx *; diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml index c2f4d157c8..c824965955 100644 --- a/kubernetes/policy/components/policy-clamp-fe/values.yaml +++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml @@ -48,8 +48,6 @@ certInitializer: app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; - export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); cd {{ .Values.credsPath }}; openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index 09805bd496..6788613ceb 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -105,9 +105,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 658fa65a31..4eb37c6106 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -89,9 +89,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci; diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index ec177d82c1..18e0e3e171 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -83,9 +83,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -172,4 +169,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 76b0f3a42a..64c00e9bed 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -74,9 +74,6 @@ certInitializer: uid: 100 gid: 101 aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - export $(/opt/app/aaf_config/bin/agent.sh local showpass - {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12"); echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); @@ -155,4 +152,3 @@ resources: cpu: 200m memory: 2Gi unlimited: {} - diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml index 0a818102c6..b46876ced9 100644 --- a/kubernetes/portal/components/portal-app/values.yaml +++ b/kubernetes/portal/components/portal-app/values.yaml @@ -77,10 +77,9 @@ certInitializer: permission_group: 999 keystoreFile: "org.onap.portal.p12" truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop # default number of instances replicaCount: 1 diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index 390241fa1d..c4a21b927f 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -107,7 +107,7 @@ docker_temp_server_start() { if [ -z "$DATABASE_ALREADY_EXISTS" ]; then extraArgs+=( '--dont-use-mysql-root-password' ) fi - if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then break fi sleep 1 @@ -263,19 +263,19 @@ docker_setup_db() { # Creates a custom database and user if specified if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Creating database ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql fi if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then mysql_note "Creating user ${MYSQL_USER}" - docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" + echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql fi - docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;" + echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql fi } diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml index 11ce5a6e42..7631c3a482 100644 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ b/kubernetes/portal/components/portal-sdk/values.yaml @@ -78,10 +78,9 @@ certInitializer: permission_group: 999 keystoreFile: "org.onap.portal.p12" truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 7ab384e8d0..d48070cf24 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -63,7 +63,7 @@ usage () # Check if execscript flag is used and drop it from input arguments -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then set -- "${@:1:$#-1}" execscript=true fi diff --git a/kubernetes/robot/ete-k8s.sh b/kubernetes/robot/ete-k8s.sh index 576b669cdb..97f4e4d032 100755 --- a/kubernetes/robot/ete-k8s.sh +++ b/kubernetes/robot/ete-k8s.sh @@ -18,7 +18,7 @@ # Run the testsuite for the passed tag. Valid tags are listed in usage help # Please clean up logs when you are done... # -if [ "$1" == "" ] || [ "$2" == "" ]; then +if [ "$1" = "" ] || [ "$2" = "" ]; then echo "Usage: ete-k8s.sh [namespace] [tag] [execscript]" echo "" echo " List of test case tags (filename for intent: tag)" @@ -76,7 +76,7 @@ SCRIPTDIR=scripts/etescript ETEHOME=/var/opt/ONAP -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then for script in $(ls -1 "$DIR/$SCRIPTDIR"); do [ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script" done diff --git a/kubernetes/robot/eteHelm-k8s.sh b/kubernetes/robot/eteHelm-k8s.sh index b8b8708a26..2512e5f7ce 100755 --- a/kubernetes/robot/eteHelm-k8s.sh +++ b/kubernetes/robot/eteHelm-k8s.sh @@ -18,7 +18,7 @@ # Run the health-check testsuites for the tags discovered by helm list # Please clean up logs when you are done... # -if [ "$1" == "" ] ; then +if [ "$1" = "" ] ; then echo "Usage: eteHelm-k8s.sh [namespace] [execscript]" echo " list projects via helm list and runs health-check with those tags except dev and dev-consul" echo " [execscript] - optional parameter to execute user custom scripts located in scripts/helmscript directory" @@ -44,7 +44,7 @@ SCRIPTDIR=scripts/helmscript ETEHOME=/var/opt/ONAP -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then for script in $(ls -1 "$DIR/$SCRIPTDIR"); do [ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script" done diff --git a/kubernetes/robot/instantiate-k8s.sh b/kubernetes/robot/instantiate-k8s.sh index f10ad7e493..f4f6b04e4c 100755 --- a/kubernetes/robot/instantiate-k8s.sh +++ b/kubernetes/robot/instantiate-k8s.sh @@ -111,9 +111,9 @@ kubectl --namespace $NAMESPACE cp $FOLDER ${POD}:/tmp/vnfdata.${BUILDNUM} echo "Executing instantiation..." if [ $POLL = 1 ]; then - kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &" + kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM > /tmp/vnf_instantiation.$BUILDNUM.log 2>&1 &" - pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"` + pid=`kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "pgrep runTags.sh -n"` if [ -z "$pid" ]; then echo "robot testsuite unable to start" @@ -123,10 +123,10 @@ if [ $POLL = 1 ]; then kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "while ps -p \"$pid\" --no-headers | grep -v defunct; do echo \$'\n\n'; echo \"Testsuite still running \"\`date\`; echo \"LOG FILE: \"; tail -10 /tmp/vnf_instantiation.$BUILDNUM.log; sleep 30; done" else - kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM" + kubectl --namespace $NAMESPACE exec ${POD} -- bash -c "${ETEHOME}/runTags.sh ${VARIABLEFILES} ${VARIABLES} -d /share/logs/${OUTPUT_FOLDER} ${TAGS} --listener ${ETEHOME}/testsuite/eteutils/robotframework-onap/listeners/OVPListener.py --display $DISPLAY_NUM" fi -set +x +set +x echo "testsuite has finished" diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index 6f54c6b340..9e5f222f48 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -22,7 +22,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/testsuite:1.7.3 +image: onap/testsuite:1.8.0 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index 77577d6ee3..bdaea44938 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -35,8 +35,8 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.8.4 -backendInitImage: onap/sdc-backend-init:1.8.4 +image: onap/sdc-backend-all-plugins:1.8.5 +backendInitImage: onap/sdc-backend-init:1.8.5 pullPolicy: Always @@ -63,9 +63,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # SDC Config part diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index 33e32ddfbe..3422f9d14d 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -38,8 +38,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.8.4 -cassandraInitImage: onap/sdc-cassandra-init:1.8.4 +image: onap/sdc-cassandra:1.8.5 +cassandraInitImage: onap/sdc-cassandra-init:1.8.5 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 079d7ad462..1e269d0552 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -39,15 +39,15 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.8.4 +image: onap/sdc-frontend:1.8.5 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml new file mode 100644 index 0000000000..5af3bf737b --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml @@ -0,0 +1,20 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Service Design and Creation Helm Validator +name: sdc-helm-validator +version: 8.0.0 diff --git a/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml b/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml new file mode 100644 index 0000000000..8e1160ad44 --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml @@ -0,0 +1,23 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +dependencies: + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: common + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml new file mode 100644 index 0000000000..08228ad99c --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml @@ -0,0 +1,44 @@ +{{/* +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: 1 + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 12 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + env: + - name: LOG_LEVEL + value: {{ .Values.config.loggingLevel }} + livenessProbe: + httpGet: + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml new file mode 100644 index 0000000000..a5837afc84 --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml @@ -0,0 +1,19 @@ +{{/* +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/sdc/components/sdc-helm-validator/values.yaml b/kubernetes/sdc/components/sdc-helm-validator/values.yaml new file mode 100644 index 0000000000..9c0d90649f --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/values.yaml @@ -0,0 +1,58 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +# Global values +global: + pullPolicy: Always + +image: onap/org.onap.sdc.sdc-helm-validator:1.2.0 +containerPort: &svc_port 8080 + +config: + loggingLevel: INFO + +service: + type: ClusterIP + ports: + - name: &port http + port: *svc_port + +liveness: + initialDelaySeconds: 30 + periodSeconds: 30 + path: /actuator/health + port: *port + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi + large: + limits: + cpu: 2 + memory: 1Gi + requests: + cpu: 1 + memory: 256Mi + unlimited: {} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 5c530fea72..af53fd6708 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -93,7 +93,7 @@ spec: memory: 20Mi {{- end }} - name: volume-permissions - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - sh diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index e34d5c5cfb..d2dd808d86 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -51,16 +51,16 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.8.4 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.4 +image: onap/sdc-onboard-backend:1.8.5 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 4aebe7ab9a..dbd643806c 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -50,9 +50,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index ff8aebf6b2..e001f2f5a7 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -39,9 +39,9 @@ certInitializer: truststoreFile: "org.onap.sdc.trust.jks" permission_user: 352070 permission_group: 35953 - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + aaf_add_config: | + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. diff --git a/kubernetes/sdc/requirements.yaml b/kubernetes/sdc/requirements.yaml index 7ed88c50cc..2f2cb6c373 100644 --- a/kubernetes/sdc/requirements.yaml +++ b/kubernetes/sdc/requirements.yaml @@ -34,3 +34,7 @@ dependencies: version: ~8.x-0 repository: 'file://components/sdc-wfd-fe' condition: sdc-wfd.enabled + - name: sdc-helm-validator + version: ~8.x-0 + repository: 'file://components/sdc-helm-validator' + condition: sdc-helm-validator.enabled diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index fef7dab310..b7476a584e 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -63,3 +63,5 @@ cassandra: # dependency / sub-chart configuration sdc-wfd: enabled: true +sdc-helm-validator: + enabled: true diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml index 67282d5a53..b37b2be590 100644 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-dmaap-listener-image:2.1.3 +image: onap/sdnc-dmaap-listener-image:2.1.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index 6abffb0e93..f9c8ca4401 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ansible-server-image:2.1.3 +image: onap/sdnc-ansible-server-image:2.1.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh index 5a53fa1ca2..feb6662196 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh @@ -17,7 +17,7 @@ */}} debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh index 9c81069812..94858339e7 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh @@ -17,7 +17,7 @@ */}} debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh index 7764d00cc2..fa76a9ee40 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh @@ -24,7 +24,7 @@ fi # should PROM start as passive? state=$( bin/sdnc.cluster ) -if [ "$state" == "standby" ]; then +if [ "$state" = "standby" ]; then echo "Starting PROM in passive mode" passive="-p" fi diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh index 8057547b59..c36d2e3e9f 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh @@ -26,7 +26,7 @@ LOGFILE="/app/geo.log" enableDebugLogging=true debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 3577c84a24..acd21ae8b9 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: "onap/sdnc-web-image:2.1.3" +image: "onap/sdnc-web-image:2.1.5" pullPolicy: Always config: diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index 6f8b525d77..b5c062945b 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -55,7 +55,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ueb-listener-image:2.1.3 +image: onap/sdnc-ueb-listener-image:2.1.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/templates/service.yaml b/kubernetes/sdnc/templates/service.yaml index e3be4bc46a..693ef41af6 100644 --- a/kubernetes/sdnc/templates/service.yaml +++ b/kubernetes/sdnc/templates/service.yaml @@ -174,3 +174,27 @@ spec: selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 {{ end }} + +{{ if .Values.config.sdnr.netconfCallHome.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }}-callhome + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: NodePort + ports: + - name: "{{ .Values.service.portName }}-callhome" + port: {{ .Values.service.callHomePort }} + targetPort: {{ .Values.service.callHomePort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }} + selector: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} +{{ end }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 152337ee52..8a7259ba0d 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -192,6 +192,9 @@ spec: - containerPort: {{ .Values.service.internalPort2 }} - containerPort: {{ .Values.service.internalPort3 }} - containerPort: {{ .Values.service.clusterPort }} + {{- if .Values.config.sdnr.netconfCallHome.enabled }} + - containerPort: {{ .Values.service.callHomePort }} + {{- end }} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -305,6 +308,8 @@ spec: {{- end }} - name: ENABLE_OAUTH value: "{{ .Values.config.sdnr.oauth.enabled | default "false" }}" + - name: SDNR_NETCONF_CALLHOME_ENABLED + value: "{{ .Values.config.sdnr.netconfCallHome.enabled | default "false" }}" volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 399740ed05..9f6118051b 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -195,6 +195,7 @@ certificates: outputType: - jks passwordSecretRef: + create: true name: sdnc-cmpv2-keystore-password key: password issuer: @@ -207,7 +208,7 @@ certificates: # application images pullPolicy: Always -image: onap/sdnc-image:2.1.3 +image: onap/sdnc-image:2.1.5 # flag to enable debugging - application support required debugEnabled: false @@ -322,6 +323,8 @@ config: sdnrdbTrustAllCerts: true mountpointRegistrarEnabled: false mountpointStateProviderEnabled: false + netconfCallHome: + enabled: true # # enable and set dmaap-proxy for mountpointRegistrar dmaapProxy: @@ -549,6 +552,9 @@ service: geoNodePort5: 65 geoNodePort6: 66 + callHomePort: 6666 + callHomeNodePort: 66 + ## Persist data to a persitent volume persistence: enabled: true diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index c7ec266f7c..3e59cbfd74 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -62,7 +62,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.8.1 +image: onap/so/bpmn-infra:1.8.2 pullPolicy: Always db: diff --git a/kubernetes/so/components/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index c83172dc24..6308e9f8de 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -61,7 +61,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/catalog-db-adapter:1.8.1 +image: onap/so/catalog-db-adapter:1.8.2 pullPolicy: Always db: diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index 0ecb925802..29fc50b2b2 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -57,7 +57,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.8.1 +image: onap/so/openstack-adapter:1.8.2 pullPolicy: Always db: diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 8cf78749de..c117a7434a 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -57,7 +57,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.8.1 +image: onap/so/request-db-adapter:1.8.2 pullPolicy: Always db: diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index 36770ad22e..b1d7173a62 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -57,7 +57,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.8.1 +image: onap/so/sdc-controller:1.8.2 pullPolicy: Always db: diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index c8e2abc4b3..9a67ef8220 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -72,7 +72,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.8.1 +image: onap/so/sdnc-adapter:1.8.2 pullPolicy: Always org: diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 1358795cec..ba98c344ac 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -162,7 +162,7 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.8.1 +image: onap/so/api-handler-infra:1.8.2 server: aaf: diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml index 19197c7f76..0560832a5f 100644 --- a/kubernetes/vfc/values.yaml +++ b/kubernetes/vfc/values.yaml @@ -55,6 +55,7 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *vfc-mariadb + replicaCount: 1 db: &dbConfig mariadbService: vfc-mariadb @@ -100,4 +101,4 @@ vfc-workflow-engine: workflowPort: 10550 vfc-zte-vnfm-driver: - enabled: true \ No newline at end of file + enabled: true diff --git a/tox.ini b/tox.ini index fcabf9cadc..01e9953617 100644 --- a/tox.ini +++ b/tox.ini @@ -17,11 +17,11 @@ commands = [testenv:docs] deps = -rdocs/requirements-docs.txt commands = - sphinx-build -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html + sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html [testenv:docs-linkcheck] deps = -rdocs/requirements-docs.txt -commands = sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck +commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck [testenv:spelling] #basepython = python3