From: Krzysztof Opasiak Date: Wed, 22 Sep 2021 14:49:18 +0000 (+0000) Subject: Merge "[SO] Add TLS configuration for SO API Ingress" X-Git-Tag: 9.0.0~114 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=4e047995fd6c7a0e3804a4412d91aa093f6f8441;hp=c9f47135f5820c423ed0b6cf295be5a98624a73c Merge "[SO] Add TLS configuration for SO API Ingress" --- diff --git a/TOSCA/ONAP_TOSCA/onap_tosca.yaml b/TOSCA/ONAP_TOSCA/onap_tosca.yaml index a48f4bc246..e63901d35f 100644 --- a/TOSCA/ONAP_TOSCA/onap_tosca.yaml +++ b/TOSCA/ONAP_TOSCA/onap_tosca.yaml @@ -50,7 +50,7 @@ node_templates: chart-version: { get_input: chart-version } namespace: { get_input: namespace } stable-repo-url: { get_input: stable-repo-url} - config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "appc": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "esr": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vid": {"enabled": false}, "vnfsdk": {"enabled": false} }' + config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "appc": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vid": {"enabled": false}, "vnfsdk": {"enabled": false} }' aaf: type: onap.nodes.component @@ -179,20 +179,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - esr: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: esr - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - log: type: onap.nodes.component properties: @@ -429,4 +415,4 @@ node_templates: stable-repo-url: { get_input: stable-repo-url} relationships: - type: cloudify.relationships.connected_to - target: onap_env \ No newline at end of file + target: onap_env diff --git a/docs/environments_onap_demo.yaml b/docs/environments_onap_demo.yaml index 9862ceab6c..8b697cbda2 100644 --- a/docs/environments_onap_demo.yaml +++ b/docs/environments_onap_demo.yaml @@ -48,8 +48,6 @@ cps: enabled: false dcaegen2: enabled: false -esr: - enabled: false log: enabled: false message-router: diff --git a/docs/helm-search.txt b/docs/helm-search.txt index 4d23cc0c4f..7fa7621e30 100644 --- a/docs/helm-search.txt +++ b/docs/helm-search.txt @@ -14,7 +14,6 @@ local/cps 8.0.0 ONAP Configuration Persistene S local/dcaegen2 8.0.0 ONAP DCAE Gen2 local/dgbuilder 8.0.0 D.G. Builder application local/dmaap 8.0.0 ONAP DMaaP components -local/esr 8.0.0 ONAP External System Register local/log 8.0.0 ONAP Logging ElasticStack local/mariadb-galera 8.0.0 Chart for MariaDB Galera cluster local/mongo 8.0.0 MongoDB Server diff --git a/docs/release-notes-honolulu.rst b/docs/release-notes-honolulu.rst new file mode 100644 index 0000000000..0c8d81f164 --- /dev/null +++ b/docs/release-notes-honolulu.rst @@ -0,0 +1,162 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_honolulu: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Honolulu release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Honolulu | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2021/04/29 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.20 +* Helm support for version up to 3.5 +* Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11073 + +major issues solved: + +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating + +**Known Issues** + +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2435 `_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 `_ NetBox demo entry setup + not complete +- `OOM-2706 `_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 `_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 `_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 `_ SO with local MariaDB + deployment fails +- `OOM-2538 `_ strange error with + CertInitializer template +- `OOM-2547 `_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 `_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 `_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 `_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ that needs to be +"compiled" into Helm package. see step 6 in +:doc:`quickstart guide `. + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :doc:`Project Description ` +- :doc:`Cloud Setup Guide ` +- :doc:`Quick Start Guide ` +- :doc:`Setup Ingress Controller ` +- :doc:`Developer Guide ` +- :doc:`Hardcoded Certificates ` + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +- Hard coded password used for all OOM deployments + [`OJSI-188 `_] +- :doc:`Hard coded certificates ` in Helm packages + +Workarounds +----------- + +- ``_ + Workaround is to generate a password with "short" strenght or pregenerate + passwords without single quote in it. Default deployment is using "short" + password generation for mariadb. + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release-notes.rst b/docs/release-notes.rst index ae0ea457f5..bb9c2e888c 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`Honolulu ` - :ref:`Guilin ` - :ref:`Frankfurt ` - :ref:`El Alto ` @@ -22,12 +23,12 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the Honolulu release. +This document provides the release notes for the Istanbul release. Summary ======= -The focus of this release is to strengthen the foundation of OOM installer. + Release Data ============ @@ -39,66 +40,25 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | Honolulu | +| **Release designation** | Istanbul | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2021/04/29 | +| **Release date** | | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* Kubernetes support for version up to 1.20 -* Helm support for version up to 3.5 -* Limits are set for most of the components -* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack -* CMPv2 external issuer implemented which extends Cert-Manager with ability to - enroll X.509 certificates from CMPv2 servers -* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual - Stack -* Bump version of common PostgreSQL and ElasticSearch -* Move to automatic certificates retrieval for 80% of the components -* Consistent retrieval of docker images, with ability to configure proxy for - the 4 repositories used by ONAP **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11073 - -major issues solved: +https://jira.onap.org/projects/OOM/versions/11074 -* Better handling of persistence on PostgreSQL -* Better Ingress templating -* Better Service templating **Known Issues** -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2435 `_ SDNC karaf shell: - log:list: Error executing command: Unrecognized configuration -- `OOM-2629 `_ NetBox demo entry setup - not complete -- `OOM-2706 `_ CDS Blueprint Processor - does not work with local DB -- `OOM-2713 `_ Problem on onboarding - custom cert to SDNC ONAP during deployment -- `OOM-2698 `_ SO helm override fails in - for value with multi-level replacement -- `OOM-2697 `_ SO with local MariaDB - deployment fails -- `OOM-2538 `_ strange error with - CertInitializer template -- `OOM-2547 `_ Health Check failures - seen after bringing down/up control plane & worker node VM instances on which - ONAP hosted -- `OOM-2699 `_ SO so-mariadb - readinessCheck fails for local MariaDB instance -- `OOM-2705 `_ SDNC DB installation fails - on local MariaDB instance -- `OOM-2603 `_ [SDNC] allign password for - scaleoutUser/restconfUser/odlUser Deliverables ------------ @@ -126,17 +86,27 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -- Hard coded password used for all OOM deployments - [`OJSI-188 `_] -- :doc:`Hard coded certificates ` in Helm packages Workarounds ----------- -- ``_ - Workaround is to generate a password with "short" strenght or pregenerate - passwords without single quote in it. Default deployment is using "short" - password generation for mariadb. +- `OOM-2754 `_ + Because of *updateEndpoint* property added to *cmpv2issuer* CRD + it is impossible to upgrade platform component from Honolulu to Istanbul + release without manual steps. Actions that should be performed: + + #. Update the CRD definition:: + + > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml + #. Upgrade the component:: + + > helm -n onap upgrade dev-platform oom/kubernetes/platform + #. Make sure that *cmpv2issuer* contains correct value for + *spec.updateEndpoint*. The value should be: *v1/certificate-update*. + If it's not, edit the resource:: + + > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap + Security Notes -------------- @@ -146,7 +116,7 @@ Security Notes References ========== -For more information on the ONAP Frankfurt release, please see: +For more information on the ONAP Istanbul release, please see: #. `ONAP Home Page`_ #. `ONAP Documentation`_ diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties new file mode 100644 index 0000000000..21ed6cd9ee --- /dev/null +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -0,0 +1,14 @@ +server.port=9516 +{{ if ( include "common.needTLS" .) }} +server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore +server.ssl.client-auth=need +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} + +server.servlet.context-path=/services/babel-service + +logging.config=${CONFIG_HOME}/logback.xml + +tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml index db54ce14f2..87a29db457 100644 --- a/kubernetes/aai/components/aai-babel/templates/service.yaml +++ b/kubernetes/aai/components/aai-babel/templates/service.yaml @@ -32,11 +32,11 @@ spec: {{- if eq .Values.service.type "NodePort" }} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- else }} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- end }} selector: diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index 4a2246793e..14a2993c2a 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -24,7 +24,7 @@ global: {} ################################################################# # application image -image: onap/babel:1.8.0 +image: onap/babel:1.9.1 flavor: small flavorOverride: small @@ -55,7 +55,7 @@ readiness: service: type: NodePort - portName: babel + portName: http externalPort: 9516 internalPort: 9516 nodePort: 79 diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index e62ba07bfd..512e906b00 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -24,20 +24,28 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.global.config.truststore.filename }} aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }} aai.keystore.filename={{ .Values.global.config.keystore.filename }} aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 8cefebc825..367e9038cd 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -33,7 +33,7 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.config.profiles.active }} +spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -48,6 +48,7 @@ server.local.startpath=aai-graphadmin/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8449 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) @@ -55,11 +56,15 @@ server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.conf server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61649 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -91,23 +96,28 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }} schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) +{{ end }} aperture.rdbmsname=aai_relational -aperture.service.client={{ .Values.global.config.schema.service.client }} +aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} + aperture.service.base.url=http://localhost:8457/aai/aperture +{{ if ( include "common.needTLS" .) }} aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }} aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }} aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) +{{ end }} aperture.service.timeout-in-milliseconds=300000 diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 45e4802ede..610290061f 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -210,4 +210,4 @@ spec: {{ end }} restartPolicy: {{ .Values.restartPolicy }} imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: {{ include "common.namespace" . }}-docker-registry-key diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 154ad30c1a..0cdce11395 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -80,8 +80,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - dataSnapshot.sh + - -c + - | + bash docker-entrypoint.sh dataSnapshot.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index 79144680b4..7c078e9236 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -80,8 +80,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - createDBSchema.sh + - -c + - | + bash docker-entrypoint.sh createDBSchema.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} @@ -149,5 +151,5 @@ spec: {{ end }} restartPolicy: Never imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: {{ include "common.namespace" . }}-docker-registry-key {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 4b100dd97b..9b4be4e4c7 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -130,7 +130,9 @@ spec: command: - /bin/bash - -c - - bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges + - | + bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} @@ -248,8 +250,10 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash - - docker-entrypoint.sh - - dataSnapshot.sh + - -c + - | + bash docker-entrypoint.sh dataSnapshot.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 2f7aaa960d..85165e2dc4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -35,17 +35,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} {{- end}} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index c29004e837..cdbef0dd8a 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -61,6 +61,7 @@ global: # global defaults # Schema specific properties that include supported versions of api schema: # Specifies if the connection should be one way ssl, two way ssl or no auth + # will be set to no-auth if tls is disabled service: client: one-way-ssl # Specifies which translator to use if it has schema-service, then it will @@ -77,11 +78,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v21 + default: v24 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24 # Specifies from which version related link should appear related: link: v11 @@ -118,7 +119,7 @@ global: # global defaults # application image -image: onap/aai-graphadmin:1.8.0 +image: onap/aai-graphadmin:1.9.1 pullPolicy: Always restartPolicy: Always flavor: small @@ -139,7 +140,9 @@ config: # Specify the profiles for the graphadmin microservice profiles: - active: "dmaap,one-way-ssl" + # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and + # serviceMesh.tls is set to tru + active: dmaap #,one-way-ssl" # Specifies the timeout limit for the REST API requests timeout: @@ -208,9 +211,9 @@ readiness: service: type: ClusterIP # REST API port for the graphadmin microservice - portName: aai-graphadmin-8449 + portName: http internalPort: 8449 - portName2: aai-graphadmin-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index 772fa0da1b..41b855490a 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -16,13 +16,19 @@ # Model Loader Distribution Client Configuration */}} ml.distribution.ACTIVE_SERVER_TLS_AUTH=false +{{ if ( include "common.needTLS" .) }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml -ml.distribution.ENVIRONMENT_NAME=AUTO +ml.distribution.ASDC_USE_HTTPS=true ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE=asdc-client.jks ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp +{{ else }} +ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 +ml.distribution.ASDC_USE_HTTPS=false +{{ end }} +ml.distribution.CONSUMER_GROUP=aai-ml-group +ml.distribution.CONSUMER_ID=aai-ml +ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 ml.distribution.USER=aai @@ -30,19 +36,26 @@ ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR ml.distribution.MSG_BUS_ADDRESSES=message-router.{{.Release.Namespace}} # Model Loader AAI REST Client Configuration +{{ if ( include "common.needTLS" .) }} ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443 +ml.aai.KEYSTORE_FILE=aai-os-cert.p12 +ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o +{{ else }} +ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:8080 +{{ end }} ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/ ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/ ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o + ml.aai.AUTH_USER=ModelLoader ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw # Model Loader Babel REST Client Configuration\r -ml.babel.BASE_URL=https://aai-babel.{{.Release.Namespace}}:9516 +ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts +{{ if ( include "common.needTLS" .) }} ml.babel.KEYSTORE_FILE=babel-client-cert.p12 ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 ml.babel.TRUSTSTORE_FILE=tomcat_keystore ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 +{{ end }} diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 5da0e5736f..96780757c0 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -21,7 +21,7 @@ global: # global defaults # application image -image: onap/model-loader:1.8.0 +image: onap/model-loader:1.9.1 pullPolicy: Always restartPolicy: Always flavor: small @@ -50,11 +50,11 @@ readiness: service: type: NodePort - portName: aai-modelloader + portName: http externalPort: 8080 internalPort: 8080 nodePort: 10 - portName2: aai-modelloader-ssl + portName2: https externalPort2: 8443 internalPort2: 8443 nodePort2: 29 diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index 0d51326f3b..2e6fd25c2b 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -38,9 +38,15 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} {{ if .Values.global.config.basic.auth.enabled }} aai.tools.enableBasicAuth=true @@ -48,10 +54,12 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index 70ebd3ac54..78a07f2a0f 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -27,9 +27,9 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration +spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }} +spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,6 +44,7 @@ server.local.startpath=aai-resources/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8447 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} @@ -51,11 +52,15 @@ server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIn server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -87,13 +92,15 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ end }} diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index e4f84a963d..46118461d1 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -30,13 +30,13 @@ spec: {{ if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} {{- end }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 2ec78c57c4..42692dd544 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -33,6 +33,8 @@ global: # global defaults migration: enabled: false + aafEnabled: false + config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -49,7 +51,8 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth #,keycloak + # aaf-auth profile will be automatically set if aaf enabled is set to true + active: production,dmaap #,aaf-auth # Notification event specific properties notification: @@ -74,11 +77,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v21 + default: v24 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24 # Specifies from which version related link should appear related: link: v11 @@ -154,7 +157,7 @@ certInitializer: chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-resources:1.8.2 +image: onap/aai-resources:1.9.1 pullPolicy: Always restartPolicy: Always flavor: small @@ -224,9 +227,9 @@ readiness: service: type: ClusterIP - portName: aai-resources-8447 + portName: http internalPort: 8447 - portName2: aai-resources-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties index b107cd4f3a..b0ed0e89a0 100644 --- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties @@ -19,20 +19,28 @@ # ============LICENSE_END========================================================= */}} +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{ else }} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.global.config.truststore.filename }} aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }} aai.keystore.filename={{ .Values.global.config.keystore.filename }} aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }} +{{ end }} aai.default.api.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties index 499fa96cd5..ad700dce6e 100644 --- a/kubernetes/aai/components/aai-schema-service/config/application.properties +++ b/kubernetes/aai/components/aai-schema-service/config/application.properties @@ -37,6 +37,7 @@ server.local.startpath=aai-schema-service/src/main/resources/ server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties server.port=8452 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }} server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }}) @@ -44,6 +45,10 @@ server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.conf server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }}) server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} schema.configuration.location=N/A schema.source.name={{ .Values.global.config.schema.source.name }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index 66dfd493dd..b54b6be644 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -30,17 +30,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} - {{- end}} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index e7479b8818..18ef89f1fd 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -40,11 +40,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v23 + default: v24 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24 # Specifies from which version related link should appear related: link: v11 @@ -74,7 +74,7 @@ global: # global defaults - aai_keystore # application image -image: onap/aai-schema-service:1.8.6 +image: onap/aai-schema-service:1.9.1 pullPolicy: Always restartPolicy: Always flavorOverride: small @@ -99,9 +99,9 @@ readiness: service: type: ClusterIP - portName: aai-schema-service-8452 + portName: http internalPort: 8452 - portName2: aai-schema-service-5005 + portName2: tcp-5005 internalPort2: 5005 ingress: diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index fe8bd16fa1..ee1341751f 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -18,12 +18,15 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm #schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://:/onap/schema-service/v1/ +{{ if ( include "common.needTLS" .) }} oxm.schemaServiceBaseUrl=https:///aai/schema-service/v1/ oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} - +{{ else }} +oxm.schemaServiceBaseUrl=http:///aai/schema-service/v1/ +{{ end }} # Schema Service need this variable for the time being diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 3c6bd4e1ad..8bd4494a2b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -15,6 +15,7 @@ */}} resources.hostname=aai +{{ if ( include "common.needTLS" .) }} resources.port=8443 resources.authType=SSL_BASIC resources.basicAuthUserName=aai@aai.onap.org @@ -23,3 +24,7 @@ resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIni resources.trust-store-password=${TRUSTSTORE_PASSWORD} resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 resources.client-cert-password=${KEYSTORE_PASSWORD} +{{ else }} +resources.port=8080 +resources.authType=HTTP_NOAUTH +{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 2e2351ad95..422e7ce150 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -13,8 +13,13 @@ # limitations under the License. server.port=8000 +{{ if ( include "common.needTLS" .) }} server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 120f8ac114..90cb00069e 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -22,14 +22,16 @@ spring.mvc.favicon.enabled=false # and in the values.yaml change the internalPort to 9517 # -spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy +spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }} portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 +{{ if ( include "common.needTLS" .) }} searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 searchservice.client-cert-password=${KEYSTORE_PASSWORD} searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks searchservice.truststore-password=${TRUSTSTORE_PASSWORD} +{{ end }} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 7d0dfe39e2..7c09dcd228 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: name: {{ include "common.name" . }} spec: initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- if ( include "common.needTLS" .) }} - command: - sh args: @@ -66,6 +67,7 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config + {{- end }} - command: - /app/ready.py args: diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 4633472a3b..457b3576a0 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -30,11 +30,11 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} + name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 420517f8f0..342df7a5d5 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -113,7 +113,7 @@ readiness: service: type: NodePort - portName: aai-sparky-be + portName: http internalPort: 8000 nodePort: 20 diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties index 843a90bbcd..b8a2b5fe03 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties @@ -28,20 +28,28 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten +{{ if ( include "common.needTLS" .) }} aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ +{{else}} +aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ +aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ +aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ +{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} +{{ if ( include "common.needTLS" .) }} aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +{{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index a5e92c5a61..24a5241fe2 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -27,9 +27,8 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration - -spring.profiles.active={{ .Values.global.config.profiles.active }} +spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration +spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,6 +43,7 @@ server.local.startpath=aai-traversal/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 +{{ if ( include "common.needTLS" .) }} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 server.ssl.key-store-password=${KEYSTORE_PASSWORD} @@ -51,11 +51,15 @@ server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certIn server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} server.ssl.client-auth=want server.ssl.key-store-type=JKS +{{ else }} +security.require-ssl=false +server.ssl.enabled=false +{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3905 -dmaap.ribbon.transportType=https +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} +dmaap.ribbon.transportType={{ include "common.scheme" . }} # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -89,14 +93,16 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab schema.version.api.default={{ .Values.global.config.schema.version.api.default }} schema.translator.list={{ .Values.global.config.schema.translator.list }} -schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ +schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions schema.service.custom.queries.endpoint=stored-queries -schema.service.client={{ .Values.global.config.schema.service.client }} +schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +{{ if ( include "common.needTLS" .) }} schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} +{{ end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index 2eac7fe722..42f0f47bb0 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -69,10 +69,16 @@ spec: - bash - "-c" - | - set -x - if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi - until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; - bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh + set -x + if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi + {{- if (include "common.needTLS" .) }} + until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; + bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh + {{- else }} + until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done; + bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ; + {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + {{- end }} env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index fad857bb41..b54b6be644 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -30,16 +30,16 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} - {{- end}} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 7ad96005ad..70f3e9e6a7 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -59,7 +59,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth #,keycloak + active: production,dmaap #,aaf-auth ,keycloak # Notification event specific properties notification: @@ -84,11 +84,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v21 + default: v24 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24 # Specifies from which version related link should appear related: link: v11 @@ -140,7 +140,7 @@ certInitializer: chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-traversal:1.8.0 +image: onap/aai-traversal:1.9.1 pullPolicy: Always restartPolicy: Always flavor: small @@ -249,9 +249,9 @@ readiness: service: type: ClusterIP - portName: aai-traversal-8446 + portName: http internalPort: 8446 - portName2: aai-traversal-5005 + portName2: tcp-5005 internalPort2: 5005 terminationGracePeriodSeconds: 120 diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index e605e1886f..9fa6d2ee9b 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -106,7 +106,7 @@ frontend IST_8443 ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index c8f3670349..1db4addb5a 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -35,7 +35,9 @@ defaults log global mode http option httplog +{{- if ( include "common.needTLS" .) }} option ssl-hello-chk +{{- end }} option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== default-server init-addr none # option dontlognull @@ -58,6 +60,37 @@ defaults timeout http-keep-alive 30000 +frontend IST_8080 + mode http + bind 0.0.0.0:8080 + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto http + reqadd X-Forwarded-Proto:\ http + reqadd X-Forwarded-Port:\ 8080 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl + + default_backend IST_Default_8447 + +{{- if ( include "common.needTLS" .) }} frontend IST_8443 mode http bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem @@ -88,6 +121,7 @@ frontend IST_8443 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 8443 +{{- end }} ####################### #ACLS FOR PORT 8446#### @@ -103,17 +137,19 @@ frontend IST_8443 default_backend IST_Default_8447 - ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none - +{{- else }} + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 +{{- end }} ####################### # BACKEND 8446######### @@ -123,5 +159,8 @@ backend IST_AAI_8446 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none - +{{- else }} + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 +{{- end }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 4b08d10e45..80fcebbef7 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -78,20 +78,22 @@ spec: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} ports: - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.internalPlainPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: /aai/util/echo - port: {{ .Values.service.internalPort }} - scheme: HTTPS + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + #scheme: HTTPS + scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} httpHeaders: - name: X-FromAppId value: OOM_ReadinessCheck diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index a9b3af9301..d93bfc9fd3 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -26,16 +26,12 @@ metadata: heritage: {{ .Release.Service }} spec: ports: - {{if eq .Values.service.type "NodePort" -}} - - name: {{ .Values.service.portName }} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} + port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }} + targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + {{- if eq .Values.service.type "NodePort" }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} + {{- end }} type: {{ .Values.service.type }} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index 1cb297078e..1122d63dab 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -202,8 +202,9 @@ global: # global defaults passwd: AAI # Active spring profiles for the resources microservice + # aaf-auth profile will be automatically set if aaf enabled is set to true profiles: - active: production,dmaap,aaf-auth + active: production,dmaap #,aaf-auth # Notification event specific properties notification: @@ -213,6 +214,7 @@ global: # global defaults # Schema specific properties that include supported versions of api schema: # Specifies if the connection should be one way ssl, two way ssl or no auth + # will be set to no-auth if tls is disabled service: client: one-way-ssl # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service @@ -228,11 +230,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v23 + default: v24 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24 # Specifies from which version related link should appear related: link: v11 @@ -359,13 +361,16 @@ readiness: service: type: NodePort - portName: aai-ssl + portName: http externalPort: 8443 internalPort: 8443 nodePort: 33 # POLICY hotfix - Note this must be temporary # See https://jira.onap.org/browse/POLICY-510 aaiServiceClusterIp: + externalPlainPort: 80 + internalPlainPort: 8080 + nodeport: 33 ingress: enabled: false @@ -373,8 +378,8 @@ ingress: - baseaddr: "aai.api" name: "aai" port: 8443 - config: - ssl: "redirect" + config: + ssl: "redirect" resources: small: diff --git a/kubernetes/cds/components/cds-blueprints-processor/requirements.yaml b/kubernetes/cds/components/cds-blueprints-processor/requirements.yaml index 7a3a920087..baf1a760ab 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/requirements.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/requirements.yaml @@ -22,3 +22,7 @@ dependencies: - name: serviceAccount version: ~8.x-0 repository: '@local' + - name: certInitializer + version: ~8.x-0 + repository: '@local' + diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index fd5265d2ce..d92f09a4c8 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -48,7 +48,7 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - sh args: @@ -113,6 +113,8 @@ spec: value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} + - name: AAF_CREDSPATH + value: {{ .Values.certInitializer.credsPath }} - name: CLUSTER_NODE_ID valueFrom: fieldRef: @@ -157,7 +159,7 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -191,7 +193,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 829bb220cd..d21598a4ba 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -47,11 +47,32 @@ secrets: password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: cds-blueprints-processor-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: sdnc-cds + fqi: sdnc-cds@sdnc-cds.onap.org + public_fqdn: sdnc-cds.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + fqi_namespace: org.onap.sdnc-cds + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh; + /opt/app/aaf_config/bin/agent.sh local showpass + {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop + ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.1.5 +image: onap/ccsdk-blueprintsprocessor:1.2.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml index 523339ca70..3ce24e2e84 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml @@ -47,6 +47,12 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{- if .Values.metrics.serviceMonitor.enabled }} + - name: PROMETHEUS_METRICS_ENABLED + value: {{ .Values.metrics.serviceMonitor.enabled | quote }} + - name: PROMETHEUS_PORT + value: {{ .Values.service.metrics.internalPort | quote }} + {{ end }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness diff --git a/kubernetes/cds/components/cds-command-executor/templates/service.yaml b/kubernetes/cds/components/cds-command-executor/templates/service.yaml index 2301902f56..7540728ee9 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/service.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/service.yaml @@ -34,6 +34,14 @@ spec: nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} {{- end}} name: {{ .Values.service.grpc.portName | default "grpc" }} + {{- if .Values.metrics.serviceMonitor.enabled }} + - port: {{ .Values.service.metrics.externalPort }} + targetPort: {{ .Values.service.metrics.internalPort }} + {{- if eq .Values.service.type "NodePort"}} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + {{- end}} + name: {{ .Values.service.metrics.portName | default "metrics" }} + {{- end}} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/esr/components/esr-server/Chart.yaml b/kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml similarity index 77% rename from kubernetes/esr/components/esr-server/Chart.yaml rename to kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml index 38a51cd771..101b24a8a2 100644 --- a/kubernetes/esr/components/esr-server/Chart.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/servicemonitor.yaml @@ -1,4 +1,5 @@ -# Copyright © 2018 Amdocs, Bell Canada +{{/* +# Copyright © 2021 Bitnami, Orange, Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,8 +12,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +*/}} -apiVersion: v1 -description: ONAP External System Register GUI -name: esr-server -version: 8.0.0 +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index cb3668656a..0f7b55632a 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -32,7 +32,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-commandexecutor:1.1.5 +image: onap/ccsdk-commandexecutor:1.2.0 pullPolicy: Always # application configuration @@ -66,6 +66,10 @@ service: portName: command-executor-grpc internalPort: 50051 externalPort: 50051 + metrics: + portName: command-executor-metrics + internalPort: 10005 + externalPort: 10005 persistence: enabled: true @@ -97,3 +101,19 @@ serviceAccount: nameOverride: cds-command-executor roles: - read + +metrics: + serviceMonitor: + enabled: false + port: command-executor-metrics + path: /actuator/prometheus + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ .Release.Name }}' + heritage: '{{ .Release.Service }}' diff --git a/kubernetes/cds/components/cds-py-executor/values.yaml b/kubernetes/cds/components/cds-py-executor/values.yaml index 02805cf5fa..c7a2734a8b 100755 --- a/kubernetes/cds/components/cds-py-executor/values.yaml +++ b/kubernetes/cds/components/cds-py-executor/values.yaml @@ -30,7 +30,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-py-executor:1.1.5 +image: onap/ccsdk-py-executor:1.2.0 pullPolicy: Always # default number of instances diff --git a/kubernetes/cds/components/cds-sdc-listener/values.yaml b/kubernetes/cds/components/cds-sdc-listener/values.yaml index f71dafeeb1..fd15bd0ecc 100644 --- a/kubernetes/cds/components/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/values.yaml @@ -29,7 +29,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-sdclistener:1.1.5 +image: onap/ccsdk-sdclistener:1.2.0 name: sdc-listener pullPolicy: Always diff --git a/kubernetes/cds/components/cds-ui/values.yaml b/kubernetes/cds/components/cds-ui/values.yaml index 8f5f806baf..f579cc358d 100644 --- a/kubernetes/cds/components/cds-ui/values.yaml +++ b/kubernetes/cds/components/cds-ui/values.yaml @@ -44,7 +44,7 @@ certInitializer: {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop # application image -image: onap/ccsdk-cds-ui-server:1.1.5 +image: onap/ccsdk-cds-ui-server:1.2.0 pullPolicy: Always # application configuration diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index 7f271d262f..0df2d79fc6 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -20,25 +20,25 @@ find_target_table_name () print_usage () { - echo "NAME" - echo " Script to restore Cassandra database from Nuvo/Cain snapshot" - echo "SYNOPSIS" - echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]" - echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name" - echo "DESCRIPTION" - echo " --base_db_dir, -b" - echo " Location of running Cassandra database" - echo " --snapshot_dir, -s" - echo " Snapshot location of Cassandra database taken by Nuvo/Cain" - echo " --keyspace, -k" - echo " Name of the keyspace to restore" - echo "EXAMPLE" - echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567" - exit + echo "NAME" + echo " Script to restore Cassandra database from Nuvo/Cain snapshot" + echo "SYNOPSIS" + echo " $me [--help|-h] [--base_db_dir|-b] [--snapshot_dir|-s] [--keyspace|-k] [--tag|-t]" + echo " MUST OPTIONS: base_db_dir, snapshot_dir, keyspace_name" + echo "DESCRIPTION" + echo " --base_db_dir, -b" + echo " Location of running Cassandra database" + echo " --snapshot_dir, -s" + echo " Snapshot location of Cassandra database taken by Nuvo/Cain" + echo " --keyspace, -k" + echo " Name of the keyspace to restore" + echo "EXAMPLE" + echo " $me -b /var/lib/cassandra/data -s /root/data.ss -k DISCOVERY_SERVER -t 1234567" + exit } if [ $# -eq 0 ] then - print_usage + print_usage fi while [ $# -gt 0 ] @@ -47,40 +47,40 @@ key="$1" shift case $key in - -h|--help) - print_usage - ;; - -b|--base_db_dir) - base_db_dir="$1" - shift - ;; - -s|--snapshot_dir) - ss_dir="$1" - shift - ;; - -k|--keyspace) - keyspace_name="$1" - ;; - -t|--tag) - tag_name="$1" - ;; - --default) - DEFAULT=YES - shift - ;; - *) - # unknown option - ;; + -h|--help) + print_usage + ;; + -b|--base_db_dir) + base_db_dir="$1" + shift + ;; + -s|--snapshot_dir) + ss_dir="$1" + shift + ;; + -k|--keyspace) + keyspace_name="$1" + ;; + -t|--tag) + tag_name="$1" + ;; + --default) + DEFAULT=YES + shift + ;; + *) + # unknown option + ;; esac done # Validate inputs if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then - echo "" - echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" - echo "" - print_usage + echo "" + echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" + echo "" + print_usage fi # Remove commit logs from current data dir diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index eb07a74cd4..fa3de03ece 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -22,6 +22,7 @@ WORK_DIR=${WORK_DIR:-/updatedTruststore} ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} +SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} mkdir -p $WORK_DIR @@ -75,3 +76,15 @@ for f in $WORK_DIR/*; do fi fi done + +# Import certificates to Linux SSL Truststore +cp $CERTS_DIR/*.crt $SSL_WORKDIR/. +cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. +update-ca-certificates +if [ $? != 0 ] + then + echo "failed importing certificates" + exit 1 + else + cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. +fi \ No newline at end of file diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index f3ba8a24e0..32bba457ee 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -174,6 +174,9 @@ - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} name: updated-truststore subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt {{- end -}} {{- end -}} diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index 704bd06a49..d28494aacd 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -142,7 +142,7 @@ cd /opt/app/config/cache for file in $(ls feed*); do NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/') - export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | cut -d '"' -f4)" + export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | grep -w "feedlog" | cut -d '"' -f4)" export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)" done for file in $(ls drpub*); do diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 49f1b940a6..a488e0d5fa 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -323,6 +323,16 @@ true {{- end }} {{- end -}} +{{/* + generate needed scheme: + - https if needTLS + - http if not +*/}} + +{{- define "common.scheme" -}} + {{- ternary "https" "http" (eq "true" (include "common.needTLS" .)) }} +{{- end -}} + {{- define "common.port.buildCache" -}} {{- $global := . }} {{- if not $global.Values._DmaapDrNodePortsCache }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 4457762754..d4fc182b34 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -25,3 +25,15 @@ true {{- end -}} {{- end -}} {{- end -}} + +{{- define "common.serviceMesh.killSidecar" -}} +{{- if (include "common.onServiceMesh" .) }} +RCODE="$?"; +echo "*** script finished with exit code $RCODE" ; +echo "*** killing service mesh sidecar" ; +curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +echo "" ; +echo "*** exiting with script exit code" ; +exit "$RCODE" +{{- end }} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 9227e182b6..bb3af76115 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -1,5 +1,6 @@ {{/* -# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2018 Amdocs +# Copyright © 2018,2021 Bell Canada # Copyright © 2019 Samsung Electronics # Copyright © 2019-2020 Orange # Copyright © 2020 Bitnami @@ -202,14 +203,20 @@ spec: httpGet: path: /metrics port: metrics - initialDelaySeconds: 30 - timeoutSeconds: 5 + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} readinessProbe: httpGet: path: /metrics port: metrics - initialDelaySeconds: 5 - timeoutSeconds: 1 + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index ed9977acd9..bc9273f41f 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -1,4 +1,5 @@ -# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2018 Amdocs +# Copyright © 2018,2021 Bell Canada # Copyright © 2019 Samsung Electronics # Copyright © 2020 Bitnami, Orange # @@ -560,6 +561,23 @@ metrics: requests: cpu: 0.5 memory: 256Mi + ## MariaDB Galera metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 ## MySQL Prometheus exporter service parameters ## service: diff --git a/kubernetes/esr/components/esr-gui/.helmignore b/kubernetes/common/timescaledb/.helmignore similarity index 97% rename from kubernetes/esr/components/esr-gui/.helmignore rename to kubernetes/common/timescaledb/.helmignore index f0c1319444..50af031725 100644 --- a/kubernetes/esr/components/esr-gui/.helmignore +++ b/kubernetes/common/timescaledb/.helmignore @@ -19,3 +19,4 @@ .project .idea/ *.tmproj +.vscode/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml new file mode 100644 index 0000000000..7aeafa01f2 --- /dev/null +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +appVersion: "1.0" +description: ONAP timescaledb +name: timescaledb +version: 8.0.0 diff --git a/kubernetes/esr/components/esr-server/requirements.yaml b/kubernetes/common/timescaledb/requirements.yaml similarity index 62% rename from kubernetes/esr/components/esr-server/requirements.yaml rename to kubernetes/common/timescaledb/requirements.yaml index 343812db25..de0c414c19 100644 --- a/kubernetes/esr/components/esr-server/requirements.yaml +++ b/kubernetes/common/timescaledb/requirements.yaml @@ -1,25 +1,28 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -# + # http://www.apache.org/licenses/LICENSE-2.0 -# + # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= dependencies: - name: common version: ~8.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) repository: '@local' - - name: repositoryGenerator + - name: serviceAccount version: ~8.x-0 repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/timescaledb/resources/init/init-schema.sh b/kubernetes/common/timescaledb/resources/init/init-schema.sh new file mode 100644 index 0000000000..ab83cffae2 --- /dev/null +++ b/kubernetes/common/timescaledb/resources/init/init-schema.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -e +set echo on; +psql --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER $DB_USERNAME WITH PASSWORD '$DB_PASSWORD'; + CREATE SCHEMA $POSTGRES_DB; + GRANT ALL PRIVILEGES ON SCHEMA $POSTGRES_DB TO $DB_USERNAME; + CREATE EXTENSION IF NOT EXISTS timescaledb WITH SCHEMA $POSTGRES_DB; +EOSQL diff --git a/kubernetes/esr/components/esr-server/templates/configmap.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml similarity index 56% rename from kubernetes/esr/components/esr-server/templates/configmap.yaml rename to kubernetes/common/timescaledb/templates/configmap-init.yaml index 6861a8bdf0..82c1de6255 100644 --- a/kubernetes/esr/components/esr-server/templates/configmap.yaml +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -1,37 +1,27 @@ {{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -# + # http://www.apache.org/licenses/LICENSE-2.0 -# + # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= */}} apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-esr-filebeat-configmap + name: {{ include "common.fullname" . }}-init namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -39,4 +29,5 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/log/filebeat/filebeat.yml").AsConfig . | indent 2 }} + init-schema.sh: |- +{{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/esr/values.yaml b/kubernetes/common/timescaledb/templates/pv.yaml similarity index 60% rename from kubernetes/esr/values.yaml rename to kubernetes/common/timescaledb/templates/pv.yaml index 5b2f776dfe..f99b5f3562 100644 --- a/kubernetes/esr/values.yaml +++ b/kubernetes/common/timescaledb/templates/pv.yaml @@ -1,26 +1,21 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -# + # http://www.apache.org/licenses/LICENSE-2.0 -# + # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} -################################################################# -# Global configuration defaults. -################################################################# - -# application configuration -config: - logstashServiceName: log-ls - logstashPort: 5044 - -esr-gui: - enabled: true \ No newline at end of file +{{ include "common.PV" . }} diff --git a/kubernetes/common/timescaledb/templates/secrets.yaml b/kubernetes/common/timescaledb/templates/secrets.yaml new file mode 100644 index 0000000000..c888d48b6c --- /dev/null +++ b/kubernetes/common/timescaledb/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/timescaledb/templates/service.yaml b/kubernetes/common/timescaledb/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/common/timescaledb/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml new file mode 100644 index 0000000000..9b63de434d --- /dev/null +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -0,0 +1,90 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + imagePullPolicy: {{ .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 60 + readinessProbe: + exec: + command: ["psql", "-w", "-U", "{{ .Values.config.pgRootUserName }}", "-c", "select 1"] + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 14 }} + - name: POSTGRES_DB + value: {{ .Values.config.pgDatabase }} + - name: POSTGRES_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "login") | indent 14 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + resources: +{{ include "common.resources" . | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-init + mountPath: /docker-entrypoint-initdb.d + - name: {{ include "common.fullname" . }} + mountPath: /var/lib/postgresql/data + volumes: + - name: {{ include "common.fullname" . }}-init + configMap: + name: {{ include "common.fullname" . }}-init + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} +{{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml new file mode 100644 index 0000000000..b6d2face3a --- /dev/null +++ b/kubernetes/common/timescaledb/values.yaml @@ -0,0 +1,111 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 +global: + persistence: {} + +################################################################# +# Secrets. +############################################################## +image: timescale/timescaledb:2.1.1-pg13 + +pullPolicy: Always +containerPorts: 5432 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + nameOverride: timescaledb + roles: + - read + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 20m + memory: 256Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + type: ClusterIP + name: timescaledb + ports: + - name: tcp-timescaledb + port: 5432 + +persistence: + enabled: true + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + accessMode: ReadWriteOnce + size: 1Gi + mountPath: /dockerdata-nfs + +config: + pgUserName: timescaledb + pgRootUserName: postgres + pgDatabase: timescaledb + +secrets: + - uid: root-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + login: '{{ .Values.config.pgRootUserName }}' + password: '{{ .Values.config.pgRootpassword }}' + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + diff --git a/kubernetes/config/prepull_docker.sh b/kubernetes/config/prepull_docker.sh index efd0bd14d3..54d7a2d7ff 100755 --- a/kubernetes/config/prepull_docker.sh +++ b/kubernetes/config/prepull_docker.sh @@ -110,7 +110,7 @@ do #remove attional prefix and postfix imageNameFinal=`echo "$imageName" | sed -e 's/^"//' -e 's/"$//' ` - #check if line contain Version as a subtag in lines if yes then call docker pull with version + #check if line contain Version as a subtag in lines if yes then call docker pull with version if echo $line | grep -q $IMAGE_VERSION_TEXT ; then echo docker pull "$imageNameWithVersion":"$imageNameFinal" docker pull $imageNameWithVersion:$imageNameFinal & diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..8762d969f9 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..2c672e2f07 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index 46f7d3521c..fc163ee2e2 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -61,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh index 460c046632..7e9077d972 100755 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh @@ -24,9 +24,9 @@ SPATH="$( dirname "$( which "$0" )" )" usage() { cat << ==usage $0 [cluster_domain] [lb_ip] [helm_chart_args] ... - [cluster_domain] Default value simpledemo.onap.org - [lb_ip] Default value LoadBalancer IP - [helm_chart_args] ... Optional arguments passed to helm install command + [cluster_domain] Default value simpledemo.onap.org + [lb_ip] Default value LoadBalancer IP + [helm_chart_args] ... Optional arguments passed to helm install command $0 --help This message $0 --info Display howto configure target machine ==usage @@ -37,10 +37,10 @@ target_machine_notice_info() { cat << ==infodeploy Extra DNS server already deployed: 1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 + sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT + sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT + sudo sysctl -w net.ipv4.conf.all.route_localnet=1 + sudo sysctl -w net.ipv4.ip_forward=1 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine ==infodeploy } @@ -48,51 +48,51 @@ Extra DNS server already deployed: list_node_with_external_addrs() { - local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - break - fi - done + local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') + for worker in $WORKER_NODES; do + local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') + local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') + if [ $internal_ip != $external_ip ]; then + echo $external_ip + break + fi + done } ingress_controller_ip() { - local metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system) - if [ -z $metal_ns ]; then - echo $CLUSTER_IP - else - list_node_with_external_addrs - fi + local metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system) + if [ -z $metal_ns ]; then + echo $CLUSTER_IP + else + list_node_with_external_addrs + fi } deploy() { - local ingress_ip=$(ingress_controller_ip) - initdir = $(pwd) - cd $SPATH/bind9dns - if [ $# -eq 0 ]; then - local cl_domain="simpledemo.onap.org" - else - local cl_domain=$1 - shift - fi - if [ $# -ne 0 ]; then - ingress_ip=$1 - shift - fi - helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ - cd $initdir - target_machine_notice_info + local ingress_ip=$(ingress_controller_ip) + initdir = $(pwd) + cd $SPATH/bind9dns + if [ $# -eq 0 ]; then + local cl_domain="simpledemo.onap.org" + else + local cl_domain=$1 + shift + fi + if [ $# -ne 0 ]; then + ingress_ip=$1 + shift + fi + helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ + cd $initdir + target_machine_notice_info } if [ $# -eq 1 ] && [ "$1" = "-h" ]; then - usage + usage elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then - usage + usage elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then target_machine_notice_info else - deploy $@ + deploy $@ fi diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh index bf2bc121a7..ce5a19ba25 100755 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh @@ -27,14 +27,14 @@ $0 [cluster_ip1] ... [cluster_ipn] Cluster address or ip ranges find_nodes_with_external_addrs() { - local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - fi - done + local WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') + for worker in $WORKER_NODES; do + local external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') + local internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') + if [ $internal_ip != $external_ip ]; then + echo $external_ip + fi + done } generate_config_map() @@ -56,32 +56,32 @@ CNFEOF } generate_config_from_single_addr() { - generate_config_map "$1 - $1" + generate_config_map "$1 - $1" } install_metallb() { - kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/namespace.yaml - kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/metallb.yaml - # Only when install - kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" + kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/namespace.yaml + kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.9.3/manifests/metallb.yaml + # Only when install + kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" } automatic_configuration() { - install_metallb - generate_config_from_single_addr $(find_nodes_with_external_addrs) + install_metallb + generate_config_from_single_addr $(find_nodes_with_external_addrs) } manual_configuration() { - install_metallb - generate_config_map $@ + install_metallb + generate_config_map $@ } if [ $# -eq 1 ] && [ "$1" = "-h" ]; then - usage + usage if [ $# -eq 1 ] && [ "$1" = "--help" ]; then - usage + usage elif [ $# -eq 0 ]; then - automatic_configuration + automatic_configuration else - manual_configuration $@ + manual_configuration $@ fi diff --git a/kubernetes/esr/.helmignore b/kubernetes/cps/components/cps-temporal/.helmignore similarity index 96% rename from kubernetes/esr/.helmignore rename to kubernetes/cps/components/cps-temporal/.helmignore index 7ddbad7ef4..80b47d2723 100644 --- a/kubernetes/esr/.helmignore +++ b/kubernetes/cps/components/cps-temporal/.helmignore @@ -19,4 +19,4 @@ .project .idea/ *.tmproj -components/ +components/ \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/Chart.yaml b/kubernetes/cps/components/cps-temporal/Chart.yaml new file mode 100644 index 0000000000..ab4bfe7e42 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Configuration Persistance Service (CPS) - Temporal +name: cps-temporal +version: 8.0.0 diff --git a/kubernetes/cps/components/cps-temporal/requirements.yaml b/kubernetes/cps/components/cps-temporal/requirements.yaml new file mode 100644 index 0000000000..b2293db9af --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/requirements.yaml @@ -0,0 +1,34 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: timescaledb + version: ~8.x-0 + repository: '@local' + - name: readinessCheck + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml new file mode 100644 index 0000000000..6654b26556 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -0,0 +1,47 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +spring: + datasource: + url: jdbc:postgresql://{{ .Values.timescaledb.service.name }}:5432/{{ .Values.timescaledb.config.pgDatabase }} + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + kafka: + bootstrap-servers: [{{ .Values.config.kafka.service }}:{{ .Values.config.kafka.port }}] + security: + protocol: {{ .Values.config.kafka.protocol }} + consumer: + group-id: {{ .Values.config.kafka.consumerGroupId }} + +security: + auth: + username: ${APP_USERNAME} + password: ${APP_PASSWORD} + +app: + listener: + data-updated: + topic: {{ .Values.config.kafka.listenerTopic }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} + +# Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-temporal/resources/config/logback.xml b/kubernetes/cps/components/cps-temporal/resources/config/logback.xml new file mode 100644 index 0000000000..a64a58664b --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/resources/config/logback.xml @@ -0,0 +1,44 @@ + + + + + + + %d - %highlight(%-5level) [%-20.20thread] %cyan(%logger{36}) - %msg%n + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/templates/configmap.yaml b/kubernetes/cps/components/cps-temporal/templates/configmap.yaml new file mode 100644 index 0000000000..6d9e30fe16 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | nindent 2 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml new file mode 100644 index 0000000000..806e65a865 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -0,0 +1,113 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim}} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + - name: APP_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} + - name: APP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.config.spring.profile }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /app/resources/application-helm.yml + subPath: application-helm.yml + name: init-data + - mountPath: /app/resources/logback.xml + subPath: logback.xml + name: init-data + - mountPath: /tmp + name: init-temp + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory + - name: init-temp + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" + diff --git a/kubernetes/cps/components/cps-temporal/templates/ingress.yaml b/kubernetes/cps/components/cps-temporal/templates/ingress.yaml new file mode 100644 index 0000000000..0dc4d1ae47 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/secrets.yaml b/kubernetes/cps/components/cps-temporal/templates/secrets.yaml new file mode 100644 index 0000000000..2a492061a3 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/secrets.yaml @@ -0,0 +1,22 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/service.yaml b/kubernetes/cps/components/cps-temporal/templates/service.yaml new file mode 100644 index 0000000000..c205ff4889 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml b/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml new file mode 100644 index 0000000000..a49a662aed --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/serviceMonitor.yaml @@ -0,0 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{- if .Values.prometheus.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml new file mode 100644 index 0000000000..6874fa2ff0 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -0,0 +1,185 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2021 Bell Canada. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +passwordStrengthOverride: basic +global: + ingress: + virtualhost: + baseurl: "simpledemo.temporal.onap.org" + +secrets: + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-cps-temporal-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.timescaledb.config.pgUserExternalSecret) .) (hasSuffix "cps-temporal-pg-user-creds" .Values.timescaledb.config.pgUserExternalSecret) }}' + login: '{{ .Values.timescaledb.config.pgUserName }}' + password: '{{ .Values.timescaledb.config.pgUserPassword }}' + passwordPolicy: generate + - uid: app-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' + login: '{{ .Values.config.appUserName }}' + password: '{{ .Values.config.appUserPassword }}' + passwordPolicy: generate + +image: onap/cps-temporal:1.0.0 +containerPort: &svc_port 8080 +managementPort: &mgt_port 8081 + +prometheus: + enabled: true + +service: + type: ClusterIP + name: cps-temporal + ports: + - name: http + port: *svc_port + targetPort: *svc_port + - name: management + port: *mgt_port + targetPort: *mgt_port + +metrics: + serviceMonitor: + enabled: true + port: management + ## specify target port if name is not given to the port in the service definition + ## + # targetPort: 8080 + path: /manage/prometheus + interval: 60s + basicAuth: + enabled: false + +pullPolicy: IfNotPresent +# flag to enable debugging - application support required +debugEnabled: false +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# default number of instances +replicaCount: 1 +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + large: + limits: + cpu: 4 + memory: 4Gi + requests: + cpu: 2 + memory: 2Gi + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 20 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + path: /manage/health + port: *mgt_port + +readiness: + initialDelaySeconds: 15 + periodSeconds: 15 + path: /manage/health + port: *mgt_port + +ingress: + enabled: true + service: + - baseaddr: "cps-temporal" + path: "/" + name: "cps-temporal" + port: *svc_port + +serviceAccount: + nameOverride: cps-temporal + roles: + - read + +securityContext: + user_id: 100 + group_id: 655533 + +################################################################# +# Application configuration defaults. +################################################################# + +config: + # REST API basic authentication credentials (passsword is generated if not provided) + appUserName: cpstemporal + spring: + profile: helm + #appUserPassword: + +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + + kafka: + service: message-router-kafka + port: 9092 + listenerTopic: cps.cfg-state-events + consumerGroupId: cps-temporal-group + protocol: PLAINTEXT + +logging: + level: INFO + path: /tmp + +timescaledb: + nameOverride: cps-temporal-db + container: + name: cps-temporal-db + name: cpstemporaldb + service: + name: cps-temporal-db + persistence: + mountSubPath: cps-temporal/data + mountInitPath: cps-temporal + config: + pgUserName: cpstemporaldb + pgDatabase: cpstemporaldb + pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-temporal-db + +readinessCheck: + wait_for: + - cps-temporal-db + +minReadySeconds: 10 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore b/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore new file mode 100644 index 0000000000..80b47d2723 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +components/ \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml new file mode 100644 index 0000000000..e99111d859 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Configuration Persistance Service (CPS) - NCMP-DMI-Plugin +name: ncmp-dmi-plugin +version: 8.0.0 diff --git a/kubernetes/esr/components/esr-gui/requirements.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml similarity index 60% rename from kubernetes/esr/components/esr-gui/requirements.yaml rename to kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml index 343812db25..d1fbdd3182 100644 --- a/kubernetes/esr/components/esr-gui/requirements.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/requirements.yaml @@ -1,6 +1,6 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -12,14 +12,20 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= dependencies: - name: common version: ~8.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) + repository: '@local' + - name: readinessCheck + version: ~8.x-0 repository: '@local' - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml new file mode 100644 index 0000000000..d388823f9e --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -0,0 +1,57 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +server: + port: 8080 + +cps-core: + baseUrl: http://${CPS_CORE_HOST:cps}:${CPS_CORE_PORT:8080} + dmiRegistrationUrl : /cps-ncmp/api/ncmp-dmi/v1/ch + auth: + username: ${CPS_CORE_USERNAME} + password: ${CPS_CORE_PASSWORD} + +sdnc: + baseUrl: http://${SDNC_HOST:sdnc}:${SDNC_PORT:8181} + topologyId: ${SDNC_TOPOLOGY_ID:topology-netconf} + auth: + username: ${SDNC_USERNAME} + password: ${SDNC_PASSWORD} + +security: + # comma-separated uri patterns which do not require authorization + permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + auth: + username: ${DMI_PLUGIN_USERNAME} + password: ${DMI_PLUGIN_PASSWORD} + +logging: + level: + org: + springframework: {{ .Values.logging.level }} + onap: + cps: {{ .Values.logging.cps }} + + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} + +# Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml new file mode 100644 index 0000000000..2a62c86e77 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/logback.xml @@ -0,0 +1,36 @@ + + + + + + + %d - %highlight(%-5level) [%-20.20thread] %cyan(%logger{36}) - %msg%n + + + + + + + + + + + + diff --git a/kubernetes/esr/components/esr-server/templates/NOTES.txt b/kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt similarity index 51% rename from kubernetes/esr/components/esr-server/templates/NOTES.txt rename to kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt index 5da4ade3a5..66f5302a11 100644 --- a/kubernetes/esr/components/esr-server/templates/NOTES.txt +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/NOTES.txt @@ -1,5 +1,6 @@ -# Copyright © 2018 Amdocs, Bell Canada -# +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -11,20 +12,28 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= 1. Get the application URL by running these commands: {{- if .Values.ingress.enabled }} {{- range .Values.ingress.hosts }} http://{{ . }} {{- end }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + export SERVICE_PORT=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.spec.ports[0].port}') + echo http://$SERVICE_IP:$SERVICE_PORT +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_PORT=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} + kubectl port-forward $POD_NAME 8080:$POD_PORT {{- end }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml new file mode 100644 index 0000000000..7e8a0058ec --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | nindent 2 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml new file mode 100644 index 0000000000..d2fd5c9c49 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml @@ -0,0 +1,119 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + {{- if .Values.prometheus.enabled }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: 'manage/prometheus' + prometheus.io/port: {{ .Values.managementPort | quote }} + {{- end }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim}} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DMI_PLUGIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "login") | indent 12 }} + - name: DMI_PLUGIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "user-creds" "key" "password") | indent 12 }} + - name: SDNC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "login") | indent 12 }} + - name: SDNC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "password") | indent 12 }} + - name: CPS_CORE_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "core-creds" "key" "login") | indent 12 }} + - name: CPS_CORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "core-creds" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.config.spring.profile }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /app/resources/application-helm.yml + subPath: application-helm.yml + name: init-data + - mountPath: /app/resources/logback.xml + subPath: logback.xml + name: init-data + - mountPath: /tmp + name: init-temp + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory + - name: init-temp + emptyDir: {} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/esr/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml similarity index 59% rename from kubernetes/esr/Chart.yaml rename to kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml index 79b287505e..b3d1cafe15 100644 --- a/kubernetes/esr/Chart.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/ingress.yaml @@ -1,6 +1,7 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -12,8 +13,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} -apiVersion: v1 -description: ONAP External System Register -name: esr -version: 8.0.0 +{{ include "common.ingress" . }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml new file mode 100644 index 0000000000..84e279d928 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/esr/requirements.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml similarity index 59% rename from kubernetes/esr/requirements.yaml rename to kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml index a2bf902284..4825d55c12 100644 --- a/kubernetes/esr/requirements.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/service.yaml @@ -1,6 +1,7 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -12,12 +13,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} -dependencies: - - name: esr-gui - version: ~8.x-0 - repository: 'file://components/esr-gui' - condition: esr-gui.enabled - - name: esr-server - version: ~8.x-0 - repository: 'file://components/esr-server' +{{ include "common.service" . }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml new file mode 100644 index 0000000000..245a5d7048 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml @@ -0,0 +1,157 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Secrets. +################################################################# +secrets: + - uid: user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' + login: '{{ .Values.config.appUserName }}' + password: '{{ .Values.config.appUserPassword }}' + passwordPolicy: generate + - uid: sdnc-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' + login: '{{ .Values.config.sdncUser }}' + password: '{{ .Values.config.sdncPassword }}' + passwordPolicy: required + - uid: core-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.coreCredsExternalSecret) . }}' + login: '{{ .Values.config.coreUser }}' + password: '{{ .Values.config.corePassword }}' + passwordPolicy: generate + +################################################################# +# Global configuration defaults. +################################################################# +global: + ingress: + virtualhost: + baseurl: "simpledemo.onap.org" + +image: onap/ncmp-dmi-plugin:1.0.0 +containerPort: &svc_port 8080 +managementPort: &mgt_port 8081 + +prometheus: + enabled: true + interval: 60s + +service: + type: ClusterIP + name: ncmp-dmi-plugin + ports: + - name: &port http + port: *svc_port + - name: management + port: *mgt_port + targetPort: *mgt_port + +pullPolicy: IfNotPresent +# flag to enable debugging - application support required +debugEnabled: false +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# default number of instances +replicaCount: 1 +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + large: + limits: + cpu: 4 + memory: 4Gi + requests: + cpu: 2 + memory: 2Gi + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 20 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + path: /manage/health + port: *mgt_port + +readiness: + initialDelaySeconds: 15 + periodSeconds: 15 + path: /manage/health + port: *mgt_port + +ingress: + enabled: true + service: + - baseaddr: "ncmp-dmi-plugin" + path: "/" + name: "ncmp-dmi-plugin" + port: *svc_port + +serviceAccount: + nameOverride: ncmp-dmi-plugin + roles: + - read + +securityContext: + user_id: 100 + group_id: 655533 + +################################################################# +# Application configuration defaults. +################################################################# + +config: + + # REST API basic authentication credentials (passsword is generated if not provided) + appUserName: ncmpuser + spring: + profile: helm + #appUserPassword: + + sdncUser: admin + sdncPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + + coreUser: cpsuser + +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format insead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +logging: + level: INFO + cps: DEBUG + path: /tmp + +readinessCheck: + wait_for: + - cps-postgres diff --git a/kubernetes/cps/requirements.yaml b/kubernetes/cps/requirements.yaml index 9d044dcd13..053723331a 100644 --- a/kubernetes/cps/requirements.yaml +++ b/kubernetes/cps/requirements.yaml @@ -19,4 +19,12 @@ dependencies: - name: cps-core version: ~8.x-0 repository: '@local' - condition: cps-core.enabled \ No newline at end of file + condition: cps-core.enabled + - name: cps-temporal + version: ~8.x-0 + repository: '@local' + condition: cps-temporal.enabled + - name: ncmp-dmi-plugin + version: ~8.x-0 + repository: '@local' + condition: ncmp-dmi-plugin.enabled \ No newline at end of file diff --git a/kubernetes/cps/templates/secrets.yaml b/kubernetes/cps/templates/secrets.yaml new file mode 100644 index 0000000000..84e279d928 --- /dev/null +++ b/kubernetes/cps/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index 87bba7f1da..cda726d0d3 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -15,14 +15,34 @@ ################################################################# # Global configuration defaults. ################################################################# +secrets: + - uid: core-app-user-creds + name: &core-creds-secret '{{ include "common.release" . }}-cps-core-app-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.coreUserExternalSecret) . }}' + login: '{{ .Values.config.coreUserName }}' + password: '{{ .Values.config.coreUserPassword }}' + passwordPolicy: generate + passwordStrengthOverride: basic global: ingress: virtualhost: baseurl: "simpledemo.onap.org" -config: {} +config: + coreUserName: cpsuser # Enable all CPS components by default cps-core: enabled: true + config: + appUserExternalSecret: *core-creds-secret + +cps-temporal: + enabled: true + +ncmp-dmi-plugin: + enabled: true + config: + coreCredsExternalSecret: *core-creds-secret diff --git a/kubernetes/dcaegen2-services/components/dcae-bbs-eventprocessor-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-bbs-eventprocessor-ms/values.yaml index 2eb3e5ae00..9815bf7ed6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-bbs-eventprocessor-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-bbs-eventprocessor-ms/values.yaml @@ -55,7 +55,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.bbs-event-processor:2.1.0 +image: onap/org.onap.dcaegen2.services.components.bbs-event-processor:2.1.1 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index 838e49e9cc..be7620733b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -34,13 +34,13 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.6.0 +image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.6.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -106,6 +106,12 @@ service: plain_port: 8100 port_protocol: http +# Environment variables +applicationEnv: +# Empty path forces DFC to use Consul configuration, which allows app runtime reconfiguration. +# It's a workaround because DMAAP specific env variables are not available in main container. + CBS_CLIENT_CONFIG_PATH: '' + # Initial Application Configuration applicationConfig: dmaap.certificateConfig.keyCert: /opt/app/datafile/etc/cert/cert.p12 diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml index d092b83937..faff44cc56 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml @@ -49,7 +49,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.datalakeadminui:1.1.0 +image: onap/org.onap.dcaegen2.services.datalakeadminui:1.1.1 # Log directory where logging sidecar should look for log files # if absent, no sidecar will be deployed diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml index 09637c5cfc..8847f298e8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml @@ -56,7 +56,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.heartbeat:2.2.0 +image: onap/org.onap.dcaegen2.services.heartbeat:2.3.1 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index 9b943c4fcc..07b10614a8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -35,13 +35,13 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.0 +image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -178,6 +178,7 @@ applicationConfig: applicationEnv: JAVA_OPTS: '-Dlogback.configurationFile=/etc/ONAP/dcae-hv-ves-collector/logback.xml' + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml index 425016878c..0bb9bdce62 100644 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml @@ -49,7 +49,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.0 +image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.1 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index d18e8d64eb..0dff427f49 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -54,7 +54,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.0 +image: onap/org.onap.dcaegen2.services.pm-mapper:1.7.2 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml index 0efcf2eb3d..512bd2643a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml @@ -56,7 +56,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pmsh:1.3.1 +image: onap/org.onap.dcaegen2.services.pmsh:1.3.2 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 3fa5faf8c5..c7d4c1d82f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -101,8 +101,6 @@ customEnvVars: value: "Basic `echo -n ${AAI_USER}:${AAI_PASSWORD} | base64`" # initial application configuration -# Configuration used for in-app substitution must be defined as $${undefined}{} under applicationConfig -# inorder to get ${} post envsubst (done part of dcae helm service-common templates) applicationConfig: dmaap.dmaapConsumerConfiguration.dmaapContentType: "application/json" dmaap.dmaapConsumerConfiguration.consumerId: "c12" diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml index 35d108d000..5974d80e81 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -56,7 +56,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.4 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.0.6 # Log directory where logging sidecar should look for log files # if absent, no sidecar will be deployed diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml index 31c6b46e95..a0ab079e1d 100644 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml @@ -56,7 +56,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.son-handler:2.1.3 +image: onap/org.onap.dcaegen2.services.son-handler:2.1.4 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index fa85c7de60..778f6c94ed 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -41,7 +41,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.0 +image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -94,8 +94,7 @@ service: # policyRelease: "onap" # policyID: | # '["onap.vfirewall.tca","onap.vdns.tca"]' -# filter: | -# '["DCAE.Config_vfirewall_.*"]' + aaiCreds: user: DCAE @@ -137,7 +136,7 @@ applicationConfig: tca.aai.generic_vnf_path: aai/v11/network/generic-vnfs/generic-vnf tca.aai.node_query_path: aai/v11/search/nodes-query tca.aai.password: ${AAI_PASSWORD} - tca.aai.url: http://aai + tca.aai.url: https://aai:8443 tca.aai.username: ${AAI_USERNAME} tca.policy: '{"domain":"measurementsForVfScaling","metricsPerEventName":[{"eventName":"vFirewallBroadcastPackets","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"LESS_OR_EQUAL","severity":"MAJOR","closedLoopEventStatus":"ONSET"},{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":700,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"vLoadBalancer","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"Measurement_vGMUX","controlLoopSchemaType":"VNF","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"EQUAL","severity":"MAJOR","closedLoopEventStatus":"ABATED"},{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"GREATER","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]}]}' tca.processing_batch_size: 10000 diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 34adba7a3c..bfea92aeb9 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml index a077c0f319..7bde2e99fb 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml @@ -39,7 +39,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1. # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.2.0 +image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.3.0 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index 9ca5258d37..f3e6c29d53 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -104,16 +104,16 @@ mongo: disableNfsProvisioner: true # application image -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.3 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.5 default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager # Use to override default setting in blueprints componentImages: - tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.0 + tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.1 ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.10.1 prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.7.1 - hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.0 + hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.9.1 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 5517269574..e6567d9ac2 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -53,7 +53,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.6.0 +image: onap/org.onap.dcaegen2.deployments.cm-container:4.6.1 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml index 63f96044fa..1d421427c3 100644 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml @@ -36,7 +36,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.platform.configbinding:2.5.3 +image: onap/org.onap.dcaegen2.platform.configbinding:2.5.4 pullPolicy: Always # probe configuration parameters diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/requirements.yaml index 0972e6b6b9..233f6e4651 100644 --- a/kubernetes/dcaemod/components/dcaemod-designtool/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-designtool/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml index bd2766f6db..556ac90e02 100644 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml @@ -84,5 +84,6 @@ spec: value: {{ .Values.config.nifiJarsIndexURL }} - name: NIFI_DCAE_DISTRIBUTOR_API_URL value: {{ .Values.config.distributorAPIURL }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml index 74c7bdb223..86aad57b1b 100644 --- a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml @@ -90,3 +90,9 @@ resources: cpu: 2 memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-designtool + roles: + - read diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/requirements.yaml index b242fbf51d..268442616b 100644 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-distributor-api/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml index 696b43a536..f36c2af002 100644 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml @@ -72,5 +72,6 @@ spec: - name : ONBOARDING_API_URL value: {{ .Values.config.onboardingAPIURL }} resources: {{ include "common.resources" . | nindent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml index 541f239d77..61ccfdef79 100644 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml @@ -89,3 +89,9 @@ resources: cpu: 2 memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-distributor-api + roles: + - read diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/requirements.yaml index b242fbf51d..268442616b 100644 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-genprocessor/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml index 40b0f3edc4..26f6586688 100644 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml @@ -72,6 +72,7 @@ spec: - mountPath: /www/data name: genprocessor-data readOnly: true + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: genprocessor-data persistentVolumeClaim: diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml index 4b79525c83..81c5888f10 100644 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml @@ -96,3 +96,9 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-genprocessor + roles: + - read + diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/requirements.yaml index 0697ceb1d6..3762a2acea 100644 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-healthcheck/requirements.yaml @@ -23,3 +23,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml index 0eaa2296bb..f46dc5f287 100644 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml @@ -58,6 +58,7 @@ spec: value: {{ include "common.namespace" . }} - name: HELM_RELEASE value: {{ include "common.release" . }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-expected-components configMap: diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml index 6a4fd542e7..bbc72a5b08 100644 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml @@ -64,4 +64,9 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-healthcheck + roles: + - read diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/requirements.yaml index b242fbf51d..268442616b 100644 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-nifi-registry/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml index 90561ac231..53f1de59bc 100644 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml @@ -69,6 +69,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "login") | indent 12 }} - name: NIFI_REGISTRY_DB_PASS {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "password") | indent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: flow-storage persistentVolumeClaim: diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml index 25b3b9e318..a0bbacc7ef 100644 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml @@ -88,3 +88,9 @@ resources: cpu: 2 memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-nifi-registry + roles: + - read diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/requirements.yaml index 7416c8cf4f..9320cd04ca 100644 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-onboarding-api/requirements.yaml @@ -25,3 +25,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml index b795f6b736..5c7d1b6d0d 100644 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml @@ -78,5 +78,6 @@ spec: value: "5432" - name: PG_DB_NAME value: dcae_onboarding_db + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml index 9401bf5340..c36e9b7129 100644 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml @@ -114,3 +114,9 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-onboarding-api + roles: + - read + diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/requirements.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/requirements.yaml index b242fbf51d..268442616b 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/requirements.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml index 42f596db1e..d5c37e9858 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml @@ -71,6 +71,7 @@ spec: value: {{ .Values.config.bpResourcesCpuLimit }} - name: BP_RESOURCES_MEMORY_LIMIT value: {{ .Values.config.bpResourcesMemoryLimit }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml index 90bc0989d0..e54608b30e 100644 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml @@ -35,7 +35,7 @@ config: importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml importK8S: plugin:k8splugin?version=>=3.5.1,<4.0.0 importPostgres: plugin:pgaas?version=1.3.0 - importClamp: plugin:clamppolicyplugin?version=1.1.0 + importClamp: plugin:clamppolicyplugin?version=1.1.1 importDMaaP: plugin:dmaap?version=>=1.5.1,<2.0.0 useDmaapPlugin: false bpResourcesCpuLimit: 250m @@ -93,3 +93,9 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dcaemod-runtime-api + roles: + - read + diff --git a/kubernetes/esr/Makefile b/kubernetes/esr/Makefile deleted file mode 100644 index 4c79718d02..0000000000 --- a/kubernetes/esr/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/requirements.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */requirements.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/esr/components/Makefile b/kubernetes/esr/components/Makefile deleted file mode 100644 index bf267b7720..0000000000 --- a/kubernetes/esr/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/requirements.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */requirements.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/esr/components/esr-gui/templates/NOTES.txt b/kubernetes/esr/components/esr-gui/templates/NOTES.txt deleted file mode 100644 index e2b067fde4..0000000000 --- a/kubernetes/esr/components/esr-gui/templates/NOTES.txt +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/esr/components/esr-gui/templates/deployment.yaml b/kubernetes/esr/components/esr-gui/templates/deployment.yaml deleted file mode 100644 index 74f933572f..0000000000 --- a/kubernetes/esr/components/esr-gui/templates/deployment.yaml +++ /dev/null @@ -1,102 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 1001 - fsGroup: 1001 - initContainers: - - command: - - cp - args: - - -r - - -T - - /home/esr/tomcat - - /opt/tomcat - securityContext: - privileged: true - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: create-tomcat-dir - volumeMounts: - - name: tomcat-workdir - mountPath: /opt/tomcat - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_ADDR - value: {{ tpl .Values.msbaddr . }} - volumeMounts: - - name: tomcat-workdir - mountPath: /home/esr/tomcat/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - volumes: - - name: tomcat-workdir - emptyDir: {} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/esr/components/esr-gui/templates/service.yaml b/kubernetes/esr/components/esr-gui/templates/service.yaml deleted file mode 100644 index b020257873..0000000000 --- a/kubernetes/esr/components/esr-gui/templates/service.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "aai-esr-gui", - "version": "v1", - "url": "/esr-gui", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"1", - "path":"/iui/aai-esr-gui" - } - ]' -spec: - ports: - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/esr/components/esr-gui/values.yaml b/kubernetes/esr/components/esr-gui/values.yaml deleted file mode 100644 index 417ace5ab4..0000000000 --- a/kubernetes/esr/components/esr-gui/values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aai/esr-gui:1.4.0 -pullPolicy: Always -msbaddr: msb-iag.{{ include "common.namespace" . }}:443 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - name: esr-gui - internalPort: 8080 - -ingress: - enabled: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi diff --git a/kubernetes/esr/components/esr-server/resources/config/log/filebeat/filebeat.yml b/kubernetes/esr/components/esr-server/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index a60fb95795..0000000000 --- a/kubernetes/esr/components/esr-server/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,56 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/esr/components/esr-server/resources/config/logback.xml b/kubernetes/esr/components/esr-server/resources/config/logback.xml deleted file mode 100644 index fcc9f250d9..0000000000 --- a/kubernetes/esr/components/esr-server/resources/config/logback.xml +++ /dev/null @@ -1,144 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.log.%d - - - ${auditPattern} - - - - - ${queueSize} - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.log.%d - - - ${metricPattern} - - - - - ${queueSize} - - - - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.log.%d - - - INFO - - - ${errorPattern} - - - - - ${queueSize} - - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.log.%d - - - ${debugPattern} - - - - - ${queueSize} - - true - - - - - ${consolePattern} - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/kubernetes/esr/components/esr-server/templates/deployment.yaml b/kubernetes/esr/components/esr-server/templates/deployment.yaml deleted file mode 100644 index 03bcaa09d4..0000000000 --- a/kubernetes/esr/components/esr-server/templates/deployment.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 1001 - fsGroup: 1001 - initContainers: - - command: - - cp - args: - - -r - - -T - - /home/esr/conf - - /opt/conf - securityContext: - privileged: true - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: create-conf-dir - volumeMounts: - - name: conf-dir - mountPath: /opt/conf - - containers: - - name: {{ .Chart.Name }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_ADDR - value: {{ tpl .Values.msbaddr . }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /home/esr/works/logs - name: {{ include "common.fullname" . }}-logs - - mountPath: /home/esr/conf - name: conf-dir - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # Filebeat sidecar container - - name: {{ include "common.name" . }}-filebeat-onap - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-filebeat-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-filebeat - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap/esr/esr-server - - mountPath: /opt/ajsc/etc/config/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - - name: {{ include "common.fullname" . }}-filebeat-conf - configMap: - name: {{ include "common.fullname" . }}-esr-filebeat-configmap - - name: {{ include "common.fullname" . }}-data-filebeat - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: conf-dir - emptyDir: {} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/esr/components/esr-server/templates/service.yaml b/kubernetes/esr/components/esr-server/templates/service.yaml deleted file mode 100644 index 9fb6e93a7b..0000000000 --- a/kubernetes/esr/components/esr-server/templates/service.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "aai-esr-server", - "version": "v1", - "url": "/api/aai-esr-server/v1", - "protocol": "REST", - "port": "{{.Values.service.internalPort}}", - "enable_ssl": true, - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/esr/components/esr-server/values.yaml b/kubernetes/esr/components/esr-server/values.yaml deleted file mode 100644 index a3fb6862a6..0000000000 --- a/kubernetes/esr/components/esr-server/values.yaml +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -subChartsOnly: - enabled: true - -# application image -image: onap/aai/esr-server:1.5.2 -pullPolicy: Always -msbaddr: msb-iag.{{ include "common.namespace" . }}:443 - -# application configuration -config: - logstashServiceName: log-ls - logstashPort: 5044 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: esr-server - portName: esr-server - externalPort: 9518 - internalPort: 9518 - -ingress: - enabled: false - -log: - componentName: esr - subcomponentName: esr-server - debug: true - scan: - enabled: false - logDir: /var/log/onap - queueSize: 256 - root: - level: INFO - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 536be7b4a9..5820e77521 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -22,13 +22,13 @@ You can specify the '--values'/'-f' flag multiple times. The priority will be gi last (right-most) file specified. For example, if both myvalues.yaml and override.yaml contained a key called 'Test', the value set in override.yaml would take precedence: - $ helm deploy demo ./onap --namespace onap -f openstack.yaml -f overrides.yaml + $ helm deploy demo ./onap --namespace onap -f openstack.yaml -f overrides.yaml You can specify the '--set' flag multiple times. The priority will be given to the last (right-most) set specified. For example, if both 'bar' and 'newbar' values are set for a key called 'foo', the 'newbar' value would take precedence: - $ helm deploy demo local/onap --namespace onap -f overrides.yaml --set log.enabled=false --set vid.enabled=false + $ helm deploy demo local/onap --namespace onap -f overrides.yaml --set log.enabled=false --set vid.enabled=false Usage: helm deploy [RELEASE] [CHART] [flags] @@ -91,7 +91,7 @@ deploy() { # validate params if [ -z "$1" ] || [ -z "$2" ]; then usage - exit 0 + exit 1 fi RELEASE=$1 @@ -123,7 +123,7 @@ deploy() { fi # determine if set-last-applied flag is enabled SET_LAST_APPLIED="false" - if expr"$FLAGS" : ".*--set-last-applied.*" ; then + if expr "$FLAGS" : ".*--set-last-applied.*" ; then FLAGS="$(echo $FLAGS| sed -n 's/--set-last-applied//p')" SET_LAST_APPLIED="true" fi @@ -242,17 +242,17 @@ deploy() { else echo "release \"${RELEASE}-${subchart}\" deployed" fi - # Add annotation last-applied-configuration if set-last-applied flag is set + # Add annotation last-applied-configuration if set-last-applied flag is set if [ "$SET_LAST_APPLIED" = "true" ]; then helm get manifest "${RELEASE}-${subchart}" \ | kubectl apply set-last-applied --create-annotation -n onap -f - \ - > $LOG_FILE.log 2>&1 + > $LOG_FILE.log 2>&1 fi fi - if [ "$DELAY" = "true" ]; then - echo sleep 3m - sleep 180 - fi + if [ "$DELAY" = "true" ]; then + echo sleep 3m + sleep 180 + fi else array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}")) n=${#array[*]} diff --git a/kubernetes/helm/plugins/undeploy/undeploy.sh b/kubernetes/helm/plugins/undeploy/undeploy.sh index 72c64244c0..a3b0e3c623 100755 --- a/kubernetes/helm/plugins/undeploy/undeploy.sh +++ b/kubernetes/helm/plugins/undeploy/undeploy.sh @@ -29,9 +29,9 @@ undeploy() { done } -if [ $# < 1 ]; then +if [ -z "$1" ]; then echo "Error: command 'undeploy' requires a release name" - exit 0 + exit 1 fi case "${1:-"help"}" in diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml index f44faa1059..bbdc3e09cd 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml @@ -25,7 +25,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/engine-management:1.3.3 +image: onap/holmes/engine-management:9.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml index 9e2b656150..4f4849a5a4 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml @@ -25,7 +25,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/holmes/rule-management:1.3.3 +image: onap/holmes/rule-management:9.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 ################################################################# diff --git a/kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh b/kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh index cbcbf7a8bf..2b42402102 100755 --- a/kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh +++ b/kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh @@ -48,7 +48,7 @@ CONSUL_CONFIG_DIR=/consul/config # You can also set the CONSUL_LOCAL_CONFIG environemnt variable to pass some # Consul configuration JSON without having to bind any volumes. if [ -n "$CONSUL_LOCAL_CONFIG" ]; then - echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json" + echo "$CONSUL_LOCAL_CONFIG" > "$CONSUL_CONFIG_DIR/local.json" fi # If the user is trying to run Consul directly with some arguments, then diff --git a/kubernetes/msb/components/msb-discovery/values.yaml b/kubernetes/msb/components/msb-discovery/values.yaml index 994e84b722..e981bbd091 100644 --- a/kubernetes/msb/components/msb-discovery/values.yaml +++ b/kubernetes/msb/components/msb-discovery/values.yaml @@ -21,7 +21,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_discovery:1.2.6 +image: onap/msb/msb_discovery:1.2.7 pullPolicy: Always istioSidecar: true diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index 3629eb43ec..0a343cf925 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -52,7 +52,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.2.7 +image: onap/msb/msb_apigateway:1.2.8 pullPolicy: Always istioSidecar: true diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index b95a11914d..baf2bec4bc 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -52,7 +52,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.2.7 +image: onap/msb/msb_apigateway:1.2.8 pullPolicy: Always istioSidecar: true diff --git a/kubernetes/onap/requirements.yaml b/kubernetes/onap/requirements.yaml index fa3efd3b40..61d4314be4 100755 --- a/kubernetes/onap/requirements.yaml +++ b/kubernetes/onap/requirements.yaml @@ -78,10 +78,6 @@ dependencies: version: ~8.x-0 repository: '@local' condition: dmaap.enabled - - name: esr - version: ~8.x-0 - repository: '@local' - condition: esr.enabled - name: log version: ~8.x-0 repository: '@local' diff --git a/kubernetes/onap/resources/environments/core-onap.yaml b/kubernetes/onap/resources/environments/core-onap.yaml index 24678e6680..de448084ee 100644 --- a/kubernetes/onap/resources/environments/core-onap.yaml +++ b/kubernetes/onap/resources/environments/core-onap.yaml @@ -77,8 +77,6 @@ holmes: enabled: false dmaap: enabled: true -esr: - enabled: false log: enabled: false mariadb-galera: diff --git a/kubernetes/onap/resources/environments/dev.yaml b/kubernetes/onap/resources/environments/dev.yaml index df333455d8..b5951b25d2 100644 --- a/kubernetes/onap/resources/environments/dev.yaml +++ b/kubernetes/onap/resources/environments/dev.yaml @@ -81,8 +81,6 @@ holmes: enabled: false dmaap: enabled: false -esr: - enabled: false log: enabled: false log-logstash: diff --git a/kubernetes/onap/resources/environments/disable-allcharts.yaml b/kubernetes/onap/resources/environments/disable-allcharts.yaml index af3c11a17e..0f93b94983 100644 --- a/kubernetes/onap/resources/environments/disable-allcharts.yaml +++ b/kubernetes/onap/resources/environments/disable-allcharts.yaml @@ -51,8 +51,6 @@ holmes: enabled: false dmaap: enabled: false -esr: - enabled: false log: enabled: false sniro-emulator: diff --git a/kubernetes/onap/resources/environments/minimal-onap.yaml b/kubernetes/onap/resources/environments/minimal-onap.yaml index 56ed2fef85..670a55ae8d 100644 --- a/kubernetes/onap/resources/environments/minimal-onap.yaml +++ b/kubernetes/onap/resources/environments/minimal-onap.yaml @@ -72,8 +72,6 @@ holmes: enabled: false dmaap: enabled: true -esr: - enabled: false log: enabled: false mariadb-galera: diff --git a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml index 7f23899c98..8c9babb99a 100644 --- a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml +++ b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml @@ -104,8 +104,6 @@ holmes: enabled: false dmaap: enabled: true -esr: - enabled: true log: enabled: true sniro-emulator: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index f3358d007d..528cd2c687 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -46,8 +46,6 @@ holmes: enabled: true dmaap: enabled: true -esr: - enabled: true oof: enabled: true msb: diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index ad002cc385..91e0157aea 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -55,8 +55,6 @@ holmes: enabled: true dmaap: enabled: true -esr: - enabled: true oof: enabled: true msb: diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml index ca98011484..312fc4b65f 100644 --- a/kubernetes/onap/resources/overrides/sm-onap.yaml +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -74,8 +74,6 @@ dcaegen2-services: enabled: false holmes: enabled: false -esr: - enabled: false log: enabled: false mariadb-galera: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 028b43aef2..133e59fb01 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -298,8 +298,6 @@ holmes: enabled: false dmaap: enabled: false -esr: - enabled: false # Today, "logging" chart that perform the central part of logging must also be # enabled in order to make it work. So `logging.enabled` must have the same # value than centralizedLoggingEnabled diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml index 0bc24afe86..e8418355d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml @@ -56,7 +56,10 @@ spec: description: Path of health check endpoint. type: string certEndpoint: - description: Path of cerfificate signing enpoint. + description: Path of cerfificate signing endpoint. + type: string + updateEndpoint: + description: Path of certificate update endpoint. type: string caName: description: Name of the external CA server configured on CertService API side. diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml index ae4ae81f02..52e35375d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml @@ -25,6 +25,7 @@ spec: url: {{ .Values.cmpv2issuer.url }} healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }} certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }} + updateEndpoint: {{ .Values.cmpv2issuer.updateEndpoint }} caName: {{ .Values.cmpv2issuer.caName }} certSecretRef: name: {{ .Values.cmpv2issuer.certSecretRef.name }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 38bddfbdc3..2237811465 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -28,7 +28,7 @@ namespace: onap # Deployment configuration deployment: name: oom-certservice-cmpv2issuer - image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.4.0 proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 # fol local development use IfNotPresent pullPolicy: Always @@ -50,6 +50,7 @@ cmpv2issuer: url: https://oom-cert-service:8443 healthcheckEndpoint: actuator/health certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update caName: RA certSecretRef: name: oom-cert-service-client-tls-secret diff --git a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json index 06e1087f60..5a967f0405 100644 --- a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json +++ b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json @@ -3,7 +3,7 @@ { "caName": "CLIENT", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "CLIENT", "authentication": { "iak": "${CLIENT_IAK}", @@ -13,7 +13,7 @@ { "caName": "RA", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "RA", "authentication": { "iak": "${RA_IAK}", @@ -21,4 +21,4 @@ } } ] -} \ No newline at end of file +} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 2e149683d7..fbd545c12e 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -34,7 +34,7 @@ service: # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.4.0 pullPolicy: Always replicaCount: 1 diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 66a42f0171..0c9d6a504f 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -5,7 +5,8 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": true + "https": true, + "prometheus": true }, "pdpStatusParameters":{ "pdpGroup": "defaultGroup", diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/config.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/config.json deleted file mode 100755 index d6bd17f65b..0000000000 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/config.json +++ /dev/null @@ -1,66 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2018 Ericsson. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} -{ - "javaProperties" : [ - ["javax.net.ssl.trustStore", "/opt/app/policy/apex-pdp/etc/ssl/policy-truststore"], - ["javax.net.ssl.trustStorePassword", "${TRUSTSTORE_PASSWORD_BASE64}"] - ], - "engineServiceParameters": { - "name": "MyApexEngine", - "version": "0.0.1", - "id": 45, - "instanceCount": 4, - "deploymentPort": 12345, - "policyModelFileName": "examples/models/SampleDomain/SamplePolicyModelJAVASCRIPT.json", - "engineParameters": { - "executorParameters": { - "JAVASCRIPT": { - "parameterClassName": "org.onap.policy.apex.plugins.executor.javascript.JavascriptExecutorParameters" - } - } - } - }, - "eventOutputParameters": { - "FirstProducer": { - "carrierTechnologyParameters": { - "carrierTechnology": "FILE", - "parameters": { - "standardIo": true - } - }, - "eventProtocolParameters": { - "eventProtocol": "JSON" - } - } - }, - "eventInputParameters": { - "FirstConsumer": { - "carrierTechnologyParameters": { - "carrierTechnology": "FILE", - "parameters": { - "standardIo": true - } - }, - "eventProtocolParameters": { - "eventProtocol": "JSON" - } - } - } -} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index eb6292a039..3983d932a0 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.5.2 +image: onap/policy-apex-pdp:2.6.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-api/resources/config/config.json b/kubernetes/policy/components/policy-api/resources/config/config.json index 729eea87ff..ce59965521 100755 --- a/kubernetes/policy/components/policy-api/resources/config/config.json +++ b/kubernetes/policy/components/policy-api/resources/config/config.json @@ -25,7 +25,8 @@ "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", "https": true, - "aaf": false + "aaf": false, + "prometheus": true }, "databaseProviderParameters": { "name": "PolicyProviderParameterGroup", diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 36eb5c4899..87ddd73adf 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -78,7 +78,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.4.2 +image: onap/policy-api:2.5.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-distribution/resources/config/config.json b/kubernetes/policy/components/policy-distribution/resources/config/config.json index ae31633843..615afc6351 100755 --- a/kubernetes/policy/components/policy-distribution/resources/config/config.json +++ b/kubernetes/policy/components/policy-distribution/resources/config/config.json @@ -2,6 +2,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2021 Bell Canada. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,8 @@ "port":6969, "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", - "https":true + "https":true, + "prometheus": true }, "receptionHandlerParameters":{ "SDCReceptionHandler":{ @@ -69,8 +71,8 @@ ], "consumerGroup": "policy-group", "environmentName": "AUTO", - "keystorePath": "null", - "keystorePassword": "null", + "keyStorePath": "null", + "keyStorePassword": "null", "activeserverTlsAuth": false, "isFilterinEmptyResources": true, "isUseHttpsWithDmaap": true @@ -91,18 +93,21 @@ "parameterClassName":"org.onap.policy.distribution.forwarding.lifecycle.api.LifecycleApiForwarderParameters", "parameters":{ "apiParameters": { - "hostName": "policy-api", - "port": 6969, - "userName": "${API_USER}", - "password": "${API_PASSWORD}" - }, + "clientName": "policy-api", + "hostname": "policy-api", + "port": 6969, + "userName": "${API_USER}", + "password": "${API_PASSWORD}", + "useHttps": true + }, "papParameters": { - "hostName": "policy-pap", - "port": 6969, - "userName": "${PAP_USER}", - "password": "${PAP_PASSWORD}" + "clientName": "policy-pap", + "hostname": "policy-pap", + "port": 6969, + "userName": "${PAP_USER}", + "password": "${PAP_PASSWORD}", + "useHttps": true }, - "isHttps": true, "deployPolicies": true } } diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index fb6ef6e039..1614bd840e 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -67,7 +67,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.5.2 +image: onap/policy-distribution:2.6.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index ec8d119fa6..ff532ab5c1 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -1,6 +1,7 @@ {{/* # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2021 Bell Canada. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,6 +41,7 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access SQL_HOST={{ .Values.db.name }} +SQL_PORT=3306 # AAF @@ -47,6 +49,11 @@ AAF={{.Values.aaf.enabled}} AAF_NAMESPACE=org.onap.policy AAF_HOST=aaf-locate.{{.Release.Namespace}} +# HTTP Servers + +HTTP_SERVER_HTTPS=true +PROMETHEUS=true + # PDP-D DMaaP configuration channel PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION @@ -85,6 +92,7 @@ DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP DMAAP_SERVERS=message-router +DMAAP_HTTPS=true # AAI diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/engine-system.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/engine-system.properties new file mode 100644 index 0000000000..c7cca2b03a --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/engine-system.properties @@ -0,0 +1,45 @@ +# +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2021 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +# system properties set within the application + +java.net.preferIPv4Stack=true + +# jmx + +com.sun.management.jmxremote.port=9991 +com.sun.management.jmxremote.authenticate=false +com.sun.management.jmxremote.ssl=false + +# certs + +javax.net.ssl.trustStore=${envd:TRUSTSTORE:/opt/app/policy/etc/ssl/policy-truststore} +javax.net.ssl.trustStorePassword=${envd:TRUSTSTORE_PASSWD} + +javax.net.ssl.keyStore=${envd:KEYSTORE} +javax.net.ssl.keyStorePassword=${envd:KEYSTORE_PASSWD} + +# kie + +kie.maven.offline.force=${envd:REPOSITORY_OFFLINE:false} + +# symmetric key for sensitive configuration data + +engine.symm.key=${envd:SYMM_KEY} diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/logback.xml b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/logback.xml index 7173d80e57..2fc08e4e5d 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/logback.xml +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/logback.xml @@ -80,7 +80,7 @@ 30 10GB - + %X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n @@ -98,7 +98,7 @@ 30 10GB - + %X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n @@ -119,7 +119,7 @@ - + %X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n @@ -130,7 +130,7 @@ - + %X{RequestID}|%X{InvocationID}|%X{ServiceName}|%X{PartnerName}|%X{BeginTimestamp}|%X{EndTimestamp}|%X{ElapsedTime}|%X{ServiceInstanceID}|%X{VirtualServerName}|%X{StatusCode}|%X{ResponseCode}|%X{ResponseDescription}|%X{InstanceUUID}|%X{Severity}|%X{TargetEntity}|%X{TargetServiceName}|%X{Server}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{ClientIPAddress}|%X{ProcessKey}|%X{RemoteHost}||%X{TargetVirtualEntity}|%level|%thread| %msg%n diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 38d398998c..678cce74ee 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,4 +1,5 @@ -# Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2017 Amdocs +# Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2021 AT&T Intellectual Property # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,7 +35,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.8.2 +image: onap/policy-pdpd-cl:1.9.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-pap/resources/config/config.json b/kubernetes/policy/components/policy-pap/resources/config/config.json index 0b30a27535..e5cbd22105 100755 --- a/kubernetes/policy/components/policy-pap/resources/config/config.json +++ b/kubernetes/policy/components/policy-pap/resources/config/config.json @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2019 Nordix Foundation. +# Modifications Copyright (C) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,8 @@ "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", "https": true, - "aaf": false + "aaf": false, + "prometheus": true }, "pdpParameters": { "heartBeatMs": 120000, @@ -47,6 +49,7 @@ "databasePassword": "${SQL_PASSWORD}", "persistenceUnit": "PolicyMariaDb" }, + "savePdpStatisticsInDb": true, "topicParameterGroup": { "topicSources" : [{ "topic" : "POLICY-PDP-PAP", @@ -54,6 +57,15 @@ "useHttps": true, "fetchTimeout": 15000, "topicCommInfrastructure" : "dmaap" + }, + { + "topic" : "POLICY-HEARTBEAT", + "effectiveTopic": "POLICY-PDP-PAP", + "consumerGroup": "policy-pap", + "servers" : [ "message-router" ], + "useHttps": true, + "fetchTimeout": 15000, + "topicCommInfrastructure" : "dmaap" }], "topicSinks" : [{ "topic" : "POLICY-PDP-PAP", diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 3c4c3e5ec6..c373e04cf2 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -92,7 +92,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.4.2 +image: onap/policy-pap:2.5.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json index a626a046a5..19b4d9c03b 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json @@ -27,17 +27,20 @@ "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", "https": true, - "aaf": false + "aaf": false, + "prometheus": true }, "policyApiParameters": { - "host": "policy-api", + "hostname": "policy-api", "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "https": true, + "useHttps": true, "aaf": false }, - "applicationPath": "/opt/app/policy/pdpx/apps", + "applicationParameters": { + "applicationPath": "/opt/app/policy/pdpx/apps" + }, "topicParameterGroup": { "topicSources" : [{ "topic" : "POLICY-PDP-PAP", diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 9eda53ee9b..91984cc81b 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -83,7 +83,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.4.2 +image: onap/policy-xacml-pdp:2.5.0 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh index 90c987984f..7b9437217d 100755 --- a/kubernetes/policy/resources/config/db.sh +++ b/kubernetes/policy/resources/config/db.sh @@ -18,10 +18,10 @@ mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; -for db in support onap_sdk log migration operationshistory10 pooling policyadmin policyclamp operationshistory +for db in migration pooling policyadmin policyclamp operationshistory do - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" done mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/esr/components/esr-gui/Chart.yaml b/kubernetes/policy/resources/config/db_migrator_policy_init.sh similarity index 69% rename from kubernetes/esr/components/esr-gui/Chart.yaml rename to kubernetes/policy/resources/config/db_migrator_policy_init.sh index 9f08c59485..d1cc108fec 100644 --- a/kubernetes/esr/components/esr-gui/Chart.yaml +++ b/kubernetes/policy/resources/config/db_migrator_policy_init.sh @@ -1,5 +1,6 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T +#!/bin/sh +{{/* +# Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,8 +13,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -apiVersion: v1 -description: ONAP External System Register GUI -name: esr-gui -version: 8.0.0 +*/}} +/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} +/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade +rc=$? +/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report +exit $rc diff --git a/kubernetes/policy/templates/configmap.yaml b/kubernetes/policy/templates/configmap.yaml index 7809c746bb..17558f86ea 100755 --- a/kubernetes/policy/templates/configmap.yaml +++ b/kubernetes/policy/templates/configmap.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,4 +27,4 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/db.sh").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 72c94f30c5..d781a634ae 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -47,7 +48,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - containers: - name: {{ include "common.release" . }}-policy-galera-config image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -70,6 +70,32 @@ spec: - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" resources: +{{ include "common.resources" . }} + containers: + - name: {{ include "common.release" . }}-policy-galera-db-migrator + image: {{ .Values.repository }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_policy_init.sh + command: + - /bin/sh + args: + - -x + - /dbcmd-config/db_migrator_policy_init.sh + env: + - name: SQL_HOST + value: "{{ index .Values "mariadb-galera" "service" "name" }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schema }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + resources: {{ include "common.resources" . }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -80,3 +106,5 @@ spec: items: - key: db.sh path: db.sh + - key: db_migrator_policy_init.sh + path: db_migrator_policy_init.sh diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 92344dd2fe..5478e5baa8 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -84,6 +85,11 @@ pullPolicy: Always mariadb: image: mariadb:10.5.8 +dbmigrator: + image: onap/policy-db-migrator:2.3.0 + schema: policyadmin + policy_home: "/opt/app/policy" + subChartsOnly: enabled: true diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index f5dcbff6bf..a363ab3bb0 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -5,18 +5,18 @@ shopt -s nullglob # logging functions mysql_log() { - local type="$1"; shift - printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" + local type="$1"; shift + printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" } mysql_note() { - mysql_log Note "$@" + mysql_log Note "$@" } mysql_warn() { - mysql_log Warn "$@" >&2 + mysql_log Warn "$@" >&2 } mysql_error() { - mysql_log ERROR "$@" >&2 - exit 1 + mysql_log ERROR "$@" >&2 + exit 1 } # usage: file_env VAR [DEFAULT] @@ -24,170 +24,170 @@ mysql_error() { # (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of # "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - mysql_error "Both $var and $fileVar are set (but are exclusive)" - fi - local val="$def" - # val="${!var}" - # val="$(< "${!fileVar}")" - # eval replacement of the bashism equivalents above presents no security issue here - # since var and fileVar variables contents are derived from the file_env() function arguments. - # This method is only called inside this script with a limited number of possible values. - if [ "${!var:-}" ]; then - eval val=\$$var - elif [ "${!fileVar:-}" ]; then - val="$(< "$(eval echo "\$$fileVar")")" - fi - export "$var"="$val" - unset "$fileVar" + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + # val="${!var}" + # val="$(< "${!fileVar}")" + # eval replacement of the bashism equivalents above presents no security issue here + # since var and fileVar variables contents are derived from the file_env() function arguments. + # This method is only called inside this script with a limited number of possible values. + if [ "${!var:-}" ]; then + eval val=\$$var + elif [ "${!fileVar:-}" ]; then + val="$(< "$(eval echo "\$$fileVar")")" + fi + export "$var"="$val" + unset "$fileVar" } # check to see if this file is being run or sourced from another script _is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] } # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* # process initializer files, based on file extensions docker_process_init_files() { - # mysql here for backwards compatibility "${mysql[@]}" - mysql=( docker_process_sql ) - - echo - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - mysql_note "$0: running $f" - "$f" - else - mysql_note "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; - *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *) mysql_warn "$0: ignoring $f" ;; - esac - echo - done + # mysql here for backwards compatibility "${mysql[@]}" + mysql=( docker_process_sql ) + + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + mysql_note "$0: running $f" + "$f" + else + mysql_note "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; + *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; + *) mysql_warn "$0: ignoring $f" ;; + esac + echo + done } mysql_check_config() { - local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors - if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors" - fi + local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors + if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then + mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors" + fi } # Fetch value from server config # We use mysqld --verbose --help instead of my_print_defaults because the # latter only show values present in config files, and not server defaults mysql_get_config() { - local conf="$1"; shift - "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ - | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' - # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" + local conf="$1"; shift + "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ + | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' + # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" } # Do a temporary startup of the MySQL server, for init purposes docker_temp_server_start() { - "$@" --skip-networking --socket="${SOCKET}" & - mysql_note "Waiting for server startup" - local i - for i in $(seq 30 -1 0); do - # only use the root password if the database has already been initializaed - # so that it won't try to fill in a password file when it hasn't been set yet - extraArgs="" - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - extraArgs=${extraArgs}" --dont-use-mysql-root-password" - fi - if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then - break - fi - sleep 1 - done - if [ "$i" = 0 ]; then - mysql_error "Unable to start server." - fi + "$@" --skip-networking --socket="${SOCKET}" & + mysql_note "Waiting for server startup" + local i + for i in $(seq 30 -1 0); do + # only use the root password if the database has already been initializaed + # so that it won't try to fill in a password file when it hasn't been set yet + extraArgs="" + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + extraArgs=${extraArgs}" --dont-use-mysql-root-password" + fi + if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then + break + fi + sleep 1 + done + if [ "$i" = 0 ]; then + mysql_error "Unable to start server." + fi } # Stop the server. When using a local socket file mysqladmin will block until # the shutdown is complete. docker_temp_server_stop() { - if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then - mysql_error "Unable to shut down server." - fi + if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then + mysql_error "Unable to shut down server." + fi } # Verify that the minimally required password settings are set for new databases. docker_verify_minimum_env() { - if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')" - fi + if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then + mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')" + fi } # creates folders for the database # also ensures permission for user mysql of run as root docker_create_db_directories() { - local user; user="$(id -u)" + local user; user="$(id -u)" - # TODO other directories that are used by default? like /var/lib/mysql-files - # see https://github.com/docker-library/mysql/issues/562 - mkdir -p "$DATADIR" + # TODO other directories that are used by default? like /var/lib/mysql-files + # see https://github.com/docker-library/mysql/issues/562 + mkdir -p "$DATADIR" - if [ "$user" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql '{}' + - fi + if [ "$user" = "0" ]; then + # this will cause less disk access than `chown -R` + find "$DATADIR" \! -user mysql -exec chown mysql '{}' + + fi } # initializes the database directory docker_init_database_dir() { - mysql_note "Initializing database files" - installArgs=" --datadir=$DATADIR --rpm " - if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then - # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password - # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 - # (this flag doesn't exist in 10.0 and below) - installArgs=${installArgs}" --auth-root-authentication-method=normal" - fi - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')" - mysql_note "Database files initialized" + mysql_note "Initializing database files" + installArgs=" --datadir=$DATADIR --rpm " + if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then + # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password + # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 + # (this flag doesn't exist in 10.0 and below) + installArgs=${installArgs}" --auth-root-authentication-method=normal" + fi + # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) + mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')" + mysql_note "Database files initialized" } # Loads various settings that are used elsewhere in the script # This should be called after mysql_check_config, but before any other functions docker_setup_env() { - # Get config - declare -g DATADIR SOCKET - DATADIR="$(mysql_get_config 'datadir' "$@")" - SOCKET="$(mysql_get_config 'socket' "$@")" - - # Initialize values that might be stored in a file - file_env 'MYSQL_ROOT_HOST' '%' - file_env 'MYSQL_DATABASE' - file_env 'MYSQL_USER' - file_env 'MYSQL_PASSWORD' - file_env 'MYSQL_ROOT_PASSWORD' - file_env 'PORTAL_DB_TABLES' - - declare -g DATABASE_ALREADY_EXISTS - if [ -d "$DATADIR/mysql" ]; then - DATABASE_ALREADY_EXISTS='true' - fi + # Get config + declare -g DATADIR SOCKET + DATADIR="$(mysql_get_config 'datadir' "$@")" + SOCKET="$(mysql_get_config 'socket' "$@")" + + # Initialize values that might be stored in a file + file_env 'MYSQL_ROOT_HOST' '%' + file_env 'MYSQL_DATABASE' + file_env 'MYSQL_USER' + file_env 'MYSQL_PASSWORD' + file_env 'MYSQL_ROOT_PASSWORD' + file_env 'PORTAL_DB_TABLES' + + declare -g DATABASE_ALREADY_EXISTS + if [ -d "$DATADIR/mysql" ]; then + DATABASE_ALREADY_EXISTS='true' + fi } # Execute sql script, passed via stdin @@ -195,178 +195,178 @@ docker_setup_env() { # ie: docker_process_sql --database=mydb <<<'INSERT ...' # ie: docker_process_sql --dont-use-mysql-root-password --database=mydb /dev/null; then - set -- mysqld "$@" - fi - - # skip setup if they aren't running mysqld or want an option that stops mysqld - if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then - mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." - - mysql_check_config "$@" - # Load various environment variables - docker_setup_env "$@" - docker_create_db_directories - - # If container is started as root user, restart as dedicated mysql user - if [ "$(id -u)" = "0" ]; then - mysql_note "Switching to dedicated user 'mysql'" - exec gosu mysql "$0" "$@" - fi - - # there's no database, so it needs to be initialized - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") - do - echo "Granting portal user ALL PRIVILEGES for table $i" - echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" - done - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MySQL init process done. Ready for start up." - echo - fi - fi - exec "$@" + # if command starts with an option, prepend mysqld + if echo "$1" | grep '^-' >/dev/null; then + set -- mysqld "$@" + fi + + # skip setup if they aren't running mysqld or want an option that stops mysqld + if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then + mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." + + mysql_check_config "$@" + # Load various environment variables + docker_setup_env "$@" + docker_create_db_directories + + # If container is started as root user, restart as dedicated mysql user + if [ "$(id -u)" = "0" ]; then + mysql_note "Switching to dedicated user 'mysql'" + exec gosu mysql "$0" "$@" + fi + + # there's no database, so it needs to be initialized + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir "$@" + + mysql_note "Starting temporary server" + docker_temp_server_start "$@" + mysql_note "Temporary server started." + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") + do + echo "Granting portal user ALL PRIVILEGES for table $i" + echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" + done + + mysql_note "Stopping temporary server" + docker_temp_server_stop + mysql_note "Temporary server stopped" + + echo + mysql_note "MySQL init process done. Ready for start up." + echo + fi + fi + exec "$@" } # If we are sourced from elsewhere, don't perform any further actions if ! _is_sourced; then - _main "$@" + _main "$@" fi diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 0d30557220..37631bc673 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -19,46 +19,46 @@ # usage () { - echo "Usage: demo-k8s.sh [] [execscript]" - echo " " - echo " demo-k8s.sh init" - echo " - Execute both init_customer + distribute" - echo " " - echo " demo-k8s.sh init_customer" - echo " - Create demo customer (Demonstration) and services, etc." - echo " " - echo " demo-k8s.sh distribute []" - echo " - Distribute demo models (demoVFW and demoVLB)" - echo " " - echo " demo-k8s.sh preload " - echo " - Preload data for VNF for the " - echo " " - echo " demo-k8s.sh appc " - echo " - provide APPC with vFW module mount point for closed loop" - echo " " - echo " demo-k8s.sh init_robot [ ]" - echo " - Initialize robot after all ONAP VMs have started" - echo " " - echo " demo-k8s.sh instantiateVFW" - echo " - Instantiate vFW module for the demo customer (DemoCust)" - echo " " - echo " demo-k8s.sh instantiateVFWdirectso csar_filename" - echo " - Instantiate vFW module using direct SO interface using previously distributed model " + echo "Usage: demo-k8s.sh [] [execscript]" + echo " " + echo " demo-k8s.sh init" + echo " - Execute both init_customer + distribute" + echo " " + echo " demo-k8s.sh init_customer" + echo " - Create demo customer (Demonstration) and services, etc." + echo " " + echo " demo-k8s.sh distribute []" + echo " - Distribute demo models (demoVFW and demoVLB)" + echo " " + echo " demo-k8s.sh preload " + echo " - Preload data for VNF for the " + echo " " + echo " demo-k8s.sh appc " + echo " - provide APPC with vFW module mount point for closed loop" + echo " " + echo " demo-k8s.sh init_robot [ ]" + echo " - Initialize robot after all ONAP VMs have started" + echo " " + echo " demo-k8s.sh instantiateVFW" + echo " - Instantiate vFW module for the demo customer (DemoCust)" + echo " " + echo " demo-k8s.sh instantiateVFWdirectso csar_filename" + echo " - Instantiate vFW module using direct SO interface using previously distributed model " echo " that is in /tmp/csar in robot container" - echo " " + echo " " echo " demo-k8s.sh instantiateVLB_CDS" echo " - Instantiate vLB module using CDS with a preloaded CBA " echo " " - echo " demo-k8s.sh deleteVNF " - echo " - Delete the module created by instantiateVFW" - echo " " - echo " demo-k8s.sh vfwclosedloop " + echo " demo-k8s.sh deleteVNF " + echo " - Delete the module created by instantiateVFW" + echo " " + echo " demo-k8s.sh vfwclosedloop " echo " - vFWCL: Sets the packet generator to high and low rates, and checks whether the policy " echo " kicks in to modulate the rates back to medium" - echo " " - echo " demo-k8s.sh [] execscript" - echo " - Optional parameter to execute user custom scripts located in scripts/demoscript directory" - echo " " + echo " " + echo " demo-k8s.sh [] execscript" + echo " - Optional parameter to execute user custom scripts located in scripts/demoscript directory" + echo " " } # Check if execscript flag is used and drop it from input arguments @@ -74,8 +74,8 @@ echo "Number of parameters:" echo $# if [ $# -lt 2 ];then - usage - exit + usage + exit fi NAMESPACE=$1 @@ -86,80 +86,80 @@ shift ## while [ $# -gt 0 ] do - key="$1" + key="$1" echo "KEY:" echo $key - case $key in - init_robot) - TAG="UpdateWebPage" - echo "WEB Site Password for user 'test': " - stty -echo - read WEB_PASSWORD - stty echo - if [ "$WEB_PASSWORD" = "" ]; then - echo "" - echo "WEB Password is required for user 'test'" - exit - fi - VARIABLES="$VARIABLES -v WEB_PASSWORD:$WEB_PASSWORD" - shift - if [ $# -eq 2 ];then - VARIABLES="$VARIABLES -v HOSTS_PREFIX:$1" - fi - shift - ;; - init) - TAG="InitDemo" - shift - ;; - vescollector) - TAG="vescollector" - shift - ;; + case $key in + init_robot) + TAG="UpdateWebPage" + echo "WEB Site Password for user 'test': " + stty -echo + read WEB_PASSWORD + stty echo + if [ "$WEB_PASSWORD" = "" ]; then + echo "" + echo "WEB Password is required for user 'test'" + exit + fi + VARIABLES="$VARIABLES -v WEB_PASSWORD:$WEB_PASSWORD" + shift + if [ $# -eq 2 ];then + VARIABLES="$VARIABLES -v HOSTS_PREFIX:$1" + fi + shift + ;; + init) + TAG="InitDemo" + shift + ;; + vescollector) + TAG="vescollector" + shift + ;; distribute_vcpe) - TAG="distributeVCPE" - shift - ;; - init_customer) - TAG="InitCustomer" - shift - ;; - distribute) - TAG="InitDistribution" - shift - if [ $# -eq 1 ];then - VARIABLES="$VARIABLES -v DEMO_PREFIX:$1" - fi - shift - ;; - preload) - TAG="PreloadDemo" - shift - if [ $# -ne 2 ];then - echo "Usage: demo-k8s.sh preload " - exit - fi - VARIABLES="$VARIABLES -v VNF_NAME:$1" - shift - VARIABLES="$VARIABLES -v MODULE_NAME:$1" - shift - ;; - appc) - TAG="APPCMountPointDemo" - shift - if [ $# -ne 1 ];then - echo "Usage: demo-k8s.sh appc " - exit - fi - VARIABLES="$VARIABLES -v MODULE_NAME:$1" - shift - ;; - instantiateVFW) - TAG="instantiateVFW" - VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" - shift - ;; + TAG="distributeVCPE" + shift + ;; + init_customer) + TAG="InitCustomer" + shift + ;; + distribute) + TAG="InitDistribution" + shift + if [ $# -eq 1 ];then + VARIABLES="$VARIABLES -v DEMO_PREFIX:$1" + fi + shift + ;; + preload) + TAG="PreloadDemo" + shift + if [ $# -ne 2 ];then + echo "Usage: demo-k8s.sh preload " + exit + fi + VARIABLES="$VARIABLES -v VNF_NAME:$1" + shift + VARIABLES="$VARIABLES -v MODULE_NAME:$1" + shift + ;; + appc) + TAG="APPCMountPointDemo" + shift + if [ $# -ne 1 ];then + echo "Usage: demo-k8s.sh appc " + exit + fi + VARIABLES="$VARIABLES -v MODULE_NAME:$1" + shift + ;; + instantiateVFW) + TAG="instantiateVFW" + VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" + shift + ;; instantiateVFWdirectso) TAG="instantiateVFWdirectso" shift @@ -175,21 +175,21 @@ do VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" shift ;; - deleteVNF) - TAG="deleteVNF" - shift - if [ $# -ne 1 ];then - echo "Usage: demo-k8s.sh deleteVNF " - exit - fi - VARFILE=$1.py - VARIABLES="$VARIABLES -V /share/${VARFILE}" - shift - ;; - cds) - TAG="cds" - shift - ;; + deleteVNF) + TAG="deleteVNF" + shift + if [ $# -ne 1 ];then + echo "Usage: demo-k8s.sh deleteVNF " + exit + fi + VARFILE=$1.py + VARIABLES="$VARIABLES -V /share/${VARFILE}" + shift + ;; + cds) + TAG="cds" + shift + ;; distributeVFWNG) TAG="distributeVFWNG" shift @@ -208,10 +208,10 @@ do VARIABLES="$VARIABLES -v PACKET_GENERATOR_HOST:$1 -v pkg_host:$1" shift ;; - *) - usage - exit - esac + *) + usage + exit + esac done set -x diff --git a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py index 39448a72c5..ac663da769 100644 --- a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py +++ b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py @@ -128,8 +128,8 @@ GLOBAL_AAF_USERNAME = '{{ .Values.aafUsername }}' GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}' GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD] # aai info - everything is from the private oam network (also called onap private network) -GLOBAL_AAI_SERVER_PROTOCOL = "https" -GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 8443) }}' +GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}' +GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}' GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}' GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}' GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD] diff --git a/kubernetes/robot/scripts/etescript/hvves-etescript.sh b/kubernetes/robot/scripts/etescript/hvves-etescript.sh index 63e90cdec6..eb04e07fa1 100755 --- a/kubernetes/robot/scripts/etescript/hvves-etescript.sh +++ b/kubernetes/robot/scripts/etescript/hvves-etescript.sh @@ -24,46 +24,46 @@ HVVESPOD=$(kubectl -n $NAMESPACE get pods --no-headers=true -o custom-columns=:m generate_ca_key_cert () { - openssl genrsa -out $1/ca.key 2048 - openssl req -new -x509 -days 36500 -key $1/ca.key -out $1/ca.pem -subj /CN=dcae-hv-ves-ca.onap + openssl genrsa -out $1/ca.key 2048 + openssl req -new -x509 -days 36500 -key $1/ca.key -out $1/ca.pem -subj /CN=dcae-hv-ves-ca.onap } generate_server_key_csr () { - openssl genrsa -out $1/server.key 2048 - openssl req -new -key $1/server.key -out $1/server.csr -subj /CN=dcae-hv-ves-collector.onap + openssl genrsa -out $1/server.key 2048 + openssl req -new -key $1/server.key -out $1/server.csr -subj /CN=dcae-hv-ves-collector.onap } generate_client_key_csr () { - openssl genrsa -out $1/client.key 2048 - openssl req -new -key $1/client.key -out $1/client.csr -subj /CN=dcae-hv-ves-client.onap + openssl genrsa -out $1/client.key 2048 + openssl req -new -key $1/client.key -out $1/client.csr -subj /CN=dcae-hv-ves-client.onap } sign_server_and_client_cert () { - openssl x509 -req -days 36500 -in $1/server.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/server.pem -set_serial 00 - openssl x509 -req -days 36500 -in $1/client.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/client.pem -set_serial 00 + openssl x509 -req -days 36500 -in $1/server.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/server.pem -set_serial 00 + openssl x509 -req -days 36500 -in $1/client.csr -CA $1/ca.pem -CAkey $1/ca.key -out $1/client.pem -set_serial 00 } create_pkcs12_ca_and_server () { - openssl pkcs12 -export -out $1/ca.p12 -inkey $1/ca.key -in $1/ca.pem -passout pass: - openssl pkcs12 -export -out $1/server.p12 -inkey $1/server.key -in $1/server.pem -passout pass: + openssl pkcs12 -export -out $1/ca.p12 -inkey $1/ca.key -in $1/ca.pem -passout pass: + openssl pkcs12 -export -out $1/server.p12 -inkey $1/server.key -in $1/server.pem -passout pass: } copy_server_certs_to_hvves () { - for f in ca.p12 server.p12 - do - kubectl cp $1/$f $2/$3:$4 - done + for f in ca.p12 server.p12 + do + kubectl cp $1/$f $2/$3:$4 + done } copy_client_certs_to_robot () { - for f in ca.pem client.key client.pem - do + for f in ca.pem client.key client.pem + do kubectl cp $1/$f $2/$3:$4 done } cleanup () { - rm -f $1/ca.??? $1/server.??? s$1/client.??? + rm -f $1/ca.??? $1/server.??? s$1/client.??? } diff --git a/kubernetes/robot/scripts/etescript/security-etescript.sh b/kubernetes/robot/scripts/etescript/security-etescript.sh index 1cd911ca60..bf51329431 100755 --- a/kubernetes/robot/scripts/etescript/security-etescript.sh +++ b/kubernetes/robot/scripts/etescript/security-etescript.sh @@ -25,29 +25,29 @@ TMPTPL='onap_security' CSV2JSON='import csv; import json; import sys; print(json.dumps({i[0]: i[1] for i in csv.reader(sys.stdin)}))' FILTER="$(tr -d [:space:] <