From: Micha? Jagie??o Date: Tue, 8 Aug 2023 07:55:53 +0000 (+0000) Subject: Merge "[COMMON][SA] Add default role creation to ServiceAccount" X-Git-Tag: 13.0.0-DOC~22 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=930f3dcb63f5fdd99cac9f80adfafe95fdc43322;hp=d4f832dbaf2f190c5bed08aff3d56f9378a3d5f9 Merge "[COMMON][SA] Add default role creation to ServiceAccount" --- diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml index fcece0e3f5..34f3ad5eea 100644 --- a/kubernetes/common/cert-wrapper/values.yaml +++ b/kubernetes/common/cert-wrapper/values.yaml @@ -15,3 +15,5 @@ certInitializer: nameOverride: cert-initializer createCertsCM: true + serviceAccount: + nameOverride: cert-initializer \ No newline at end of file diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml index e1bb478d8a..d70b1de52b 100644 --- a/kubernetes/common/certInitializer/Chart.yaml +++ b/kubernetes/common/certInitializer/Chart.yaml @@ -29,3 +29,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml index 84a3e87098..3120455300 100644 --- a/kubernetes/common/certInitializer/templates/job.yaml +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -36,6 +36,7 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }} - name: ingress-scripts mountPath: /ingress + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }} - name: localtime hostPath: diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 747c94f4d1..0fde2cf532 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -70,3 +70,9 @@ envVarToCheck: cadi_keystore_password_p12 # We had to move this CM to a separate chart to reduce the total size of our charts # as it exceeds the default helm limits. certsCMName: '{{ include "common.release" . }}-cert-wrapper-certs' + +#Pods Service Account +serviceAccount: + nameOverride: certinitializer + roles: + - read \ No newline at end of file diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index f66a0c6bb9..e134fe8048 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.0.0 +version: 13.0.1 diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index fae16ff7eb..3cf5bf1207 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -1,7 +1,7 @@ {{/* ################################################################################ # Copyright (C) 2021 Nordix Foundation. # -# Copyright (c) 2022 J. F. Lucas. All rights reserved. # +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # # # # Licensed under the Apache License, Version 2.0 (the "License"); # # you may not use this file except in compliance with the License. # @@ -19,51 +19,54 @@ {{/* This template generates a Kubernetes init containers common template to enable applications to provision - DMaaP feeds (on Data Router), with associated authorization. - DMaap Bus Controller endpoints are used to provision: - - - Feed on DR, with associated user authentication. + DMaaP feeds (on Data Router) for DCAE microservices, with associated authorization. + DMaap Data Router (DR) endpoints are used to provision: + - Feeds on DR, with associated user authentication. + - Subscribers to feeds on DR, to provide DR with username, password, and URL needed to deliver + files to subscribers. common.dmaap.provisioning.initContainer: - This template make use of Dmaap Bus Controller docker image to create resources on Dmaap Data Router - microservice, with the help of dbc-client.sh script it makes use of Bus Controller API to create Feeds. - If the resource creation is successful via script response is logged back at particular location with - appropriate naming convention. - - More details can be found at : - (https://wiki.onap.org/pages/viewpage.action?pageId=103417564) + This template creates an initContainer with some associated volumes. The initContainer + (oom/kubernetes/dmaap-datarouter/drprov-client) runs a script (drprov-client.sh) that uses the + DR provisioning API to create the feeds and subscribers needed by a microservice. The script + updates the microservice's configuration to supply information needed to access the feeds. The + configuration information comes from two volumes that are created by the dcaegen2-services-common + templates. + - app-config-input: comes from a configMap generated from the microservice's values.yaml file. + It may contain references to environment variables as placeholders for feed information that + will become available after feeds are provisioned. + - app-config: this template will copy the configuration file from the app-config-input volume, + replaced the environment variable references with the actual values for feed information, based + on data returned by the DR provisioning API. The template directly references data in .Values, and indirectly (through its use of templates from the ONAP "common" collection) references data in .Release. - Parameter for _dmaapProvisioning to be defined in values.yaml + Parameters for _dmaapProvisioning to be defined in values.yaml: + # DataRouter Feed Configuration + # (Note that DR configures publishers as part of the feed.) drFeedConfig: - feedName: bulk_pm_feed - owner: dcaecm feedVersion: 0.0 - asprClassification: unclassified + classification: unclassified feedDescription: DFC Feed Creation - - # DataRouter Publisher Configuration - drPubConfig: - - feedName: bulk_pm_feed - dcaeLocationName: loc00 + publisher: + username: xyz + password: xyz # DataRouter Subscriber Configuration drSubConfig: - feedName: bulk_pm_feed + feedVersion: 0.0 decompress: True - dcaeLocationName: loc00 privilegedSubscriber: True deliveryURL: https://dcae-pm-mapper:8443/delivery - # ConfigMap Configuration for DR Feed, Dr_Publisher, Dr_Subscriber + # ConfigMap Configuration for DR Feed, Dr_Subscriber volumes: - name: feeds-config path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs - name: drsub-config path: /opt/app/config/dr_subs @@ -76,8 +79,10 @@ {{- define "common.dmaap.provisioning._volumeMounts" -}} {{- $dot := default . .dot -}} -- mountPath: /opt/app/config/cache - name: dbc-response-cache +- mountPath: /config-input + name: app-config-input +- mountPath: /config + name: app-config {{- range $name, $volume := $dot.Values.volumes }} - name: {{ $volume.name }} mountPath: {{ $volume.path }} @@ -86,8 +91,6 @@ {{- define "common.dmaap.provisioning._volumes" -}} {{- $dot := default . .dot -}} -- name: dbc-response-cache - emptyDir: {} {{- range $name, $volume := $dot.Values.volumes }} - name: {{ $volume.name }} configMap: @@ -98,20 +101,14 @@ {{- define "common.dmaap.provisioning.initContainer" -}} {{- $dot := default . .dot -}} -{{- $drFeedConfig := default $dot.Values.drFeedConfig .drFeedConfig -}} -{{- if $drFeedConfig -}} +{{- $drNeedProvisioning := or $dot.Values.drFeedConfig $dot.Values.drSubConfig -}} +{{- if $drNeedProvisioning -}} - name: {{ include "common.name" $dot }}-init-dmaap-provisioning - image: {{ include "repositoryGenerator.image.dbcClient" $dot }} + image: {{ include "repositoryGenerator.image.drProvClient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} env: - - name: PROTO - value: "http" - - name: PORT - value: "8080" - - name: RESP_CACHE - value: /opt/app/config/cache - - name: REQUESTID - value: "{{ include "common.name" $dot }}-dmaap-provisioning" + - name: ONBEHALFHDR + value: "X-DMAAP-DR-ON-BEHALF-OF: drprovcl" {{- range $cred := $dot.Values.credentials }} - name: {{ $cred.name }} {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} @@ -119,56 +116,5 @@ volumeMounts: {{- include "common.dmaap.provisioning._volumeMounts" $dot | trim | nindent 2 }} resources: {{ include "common.resources" $dot | nindent 4 }} -- name: {{ include "common.name" $dot }}-init-merge-config - image: {{ include "repositoryGenerator.image.envsubst" $dot }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - command: - - /bin/sh - args: - - -c - - | - set -uex -o pipefail - if [ -d /opt/app/config/cache ]; then - cd /opt/app/config/cache - for file in $(ls feed*); do - NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/') - export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | grep -w "feedlog" | cut -d '"' -f4)" - export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls drpub*); do - NUM=$(echo "$file" | sed 's/drpubConfig-\([0-9]\+\)-resp.json/\1/') - export DR_FILES_PUBLISHER_ID_"$NUM"="$(grep -o '"pubId":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls drsub*); do - NUM=$(echo "$file" | sed 's/drsubConfig-\([0-9]\+\)-resp.json/\1/') - export DR_FILES_SUBSCRIBER_ID_"$NUM"="$(grep -o '"subId":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls topics*); do - NUM=$(echo "$file" | sed 's/topicsConfig-\([0-9]\+\)-resp.json/\1/') - export MR_FILES_PUBLISHER_CLIENT_ID_"$NUM"="$(grep -o '"mrClientId":"[^"]*' "$file" | cut -d '"' -f4)" - done - else - echo "No Response logged for Dmaap BusController Http POST Request..!" - fi - cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done - env: - {{- range $cred := $dot.Values.credentials }} - - name: {{ $cred.name }} - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} - {{- end }} - volumeMounts: - - mountPath: /opt/app/config/cache - name: dbc-response-cache - - mountPath: /config-input - name: app-config-input - - mountPath: /config - name: app-config - resources: - limits: - cpu: 200m - memory: 250Mi - requests: - cpu: 100m - memory: 200Mi {{- end -}} {{- end -}} \ No newline at end of file diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index db276d546c..968cb65a78 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -28,6 +28,171 @@ true {{- end -}} {{- end -}} +{{/* + Helper function to check, if Ingress is enabled +*/}} +{{- define "common.ingress._enabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +{{- if (default false $dot.Values.global.ingress.enable_all) -}} +true +{{- else -}} +{{- if $dot.Values.ingress.enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if TLS redirect is enabled +*/}} +{{- define "common.ingress._tlsRedirect" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Provider (default is "ingress") +*/}} +{{- define "common.ingress._provider" -}} +{{- $dot := default . .dot -}} +{{- $provider := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.provider -}} +{{- if ne $dot.Values.global.ingress.provider "" -}} +{{ $provider = $dot.Values.global.ingress.provider }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $provider -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Class (default is "nginx") +*/}} +{{- define "common.ingress._class" -}} +{{- $dot := default . .dot -}} +{{- $class := "nginx" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressClass -}} +{{- if ne $dot.Values.global.ingress.ingressClass "" -}} +{{ $class = $dot.Values.global.ingress.ingressClass }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $class -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Selector (default is "ingress") +*/}} +{{- define "common.ingress._selector" -}} +{{- $dot := default . .dot -}} +{{- $selector := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressSelector -}} +{{- if ne $dot.Values.global.ingress.ingressSelector "" -}} +{{ $selector = $dot.Values.global.ingress.ingressSelector }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $selector -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway, if exists +*/}} +{{- define "common.ingress._commonGateway" -}} +{{- $dot := default . .dot -}} +{{- $gateway := "-" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $gateway = $dot.Values.global.ingress.commonGateway.name }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $gateway -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTP Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "http-80" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTPS Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPSListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "https-443" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpsListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to check the existance of an override value +*/}} +{{- define "common.ingress._overrideIfDefined" -}} + {{- $currValue := .currVal }} + {{- $parent := .parent }} + {{- $var := .var }} + {{- if $parent -}} + {{- if hasKey $parent $var }} + {{- default "" (index $parent $var) }} + {{- else -}} + {{- default "" $currValue -}} + {{- end -}} + {{- else -}} + {{- default "" $currValue }} + {{- end -}} +{{- end -}} + +{{/* + Helper function to get the protocol of the service +*/}} +{{- define "common.ingress._protocol" -}} +{{- $dot := default . .dot -}} +{{- $protocol := "http" -}} +{{- if $dot.tcpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.udpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.protocol }} +{{- $protocol = (lower $dot.protocol) -}} +{{- end -}} +{{- $protocol -}} +{{- end -}} {{/* Create the hostname as concatination . @@ -120,6 +285,21 @@ true {{- end -}} {{- end -}} +{{/* + Create Port entry in the Gateway resource +*/}} +{{- define "istio.config.gatewayPort" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} + - port: + {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + {{/* Helper function to add the route to the service */}} @@ -197,16 +377,17 @@ true Helper function to add ssl annotations */}} {{- define "ingress.config.annotations.ssl" -}} +{{- $class := include "common.ingress._class" (dict "dot" .) }} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.ssl -}} {{- if eq .Values.ingress.config.ssl "redirect" -}} -kubernetes.io/ingress.class: nginx -nginx.ingress.kubernetes.io/ssl-passthrough: "true" -nginx.ingress.kubernetes.io/ssl-redirect: "true" +kubernetes.io/ingress.class: {{ $class }} +{{ $class }}.ingress.kubernetes.io/ssl-passthrough: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "native" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "none" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "false" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} {{- end -}} {{- end -}} @@ -225,66 +406,17 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }} {{- end -}} -{{/* - Helper function to check the existance of an override value -*/}} -{{- define "common.ingress._overrideIfDefined" -}} - {{- $currValue := .currVal }} - {{- $parent := .parent }} - {{- $var := .var }} - {{- if $parent -}} - {{- if hasKey $parent $var }} - {{- default "" (index $parent $var) }} - {{- else -}} - {{- default "" $currValue -}} - {{- end -}} - {{- else -}} - {{- default "" $currValue }} - {{- end -}} -{{- end -}} - -{{/* - Helper function to check, if Ingress is enabled -*/}} -{{- define "common.ingress._enabled" -}} -{{- $dot := default . .dot -}} -{{- if $dot.Values.ingress -}} -{{- if $dot.Values.global.ingress -}} -{{- if (default false $dot.Values.global.ingress.enabled) -}} -{{- if (default false $dot.Values.global.ingress.enable_all) -}} -true -{{- else -}} -{{- if $dot.Values.ingress.enabled -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* - Create Port entry in the Gateway resource -*/}} -{{- define "istio.config.gatewayPort" -}} -{{- $dot := default . .dot -}} -{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} -{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} - - port: - {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} - hosts: - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} -{{- end -}} - {{/* Create Istio Ingress resources per defined service */}} {{- define "common.istioIngress" -}} {{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} {{ range $dot.Values.ingress.service }} +{{ if or ( eq (include "common.ingress._protocol" (dict "dot" .)) "http" ) ( eq (include "common.ingress._protocol" (dict "dot" .)) "tcp" )}} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -292,19 +424,20 @@ metadata: name: {{ $baseaddr }}-gateway spec: selector: - istio: ingress # use Istio default gateway implementation + istio: {{ $selector }} servers: -{{- if .tcpRoutes }} -{{ range .tcpRoutes }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} -{{ end -}} -{{- else }} - {{- if .protocol }} +{{ end -}} +{{- else }} + {{- if .protocol }} {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }} - {{- else }} + {{- else }} {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} - {{ end }} -{{ end }} + {{ end }} +{{ end }} +{{ end }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService @@ -314,7 +447,11 @@ spec: hosts: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} gateways: +{{- if eq $gateway "-" }} - {{ $baseaddr }}-gateway +{{- else }} + - {{ $gateway }} +{{- end }} {{- if .tcpRoutes }} tcp: {{ range .tcpRoutes }} @@ -327,9 +464,253 @@ spec: {{- else }} http: {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }} - {{ end }} -{{ end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls_simple" -}} +{{- $dot := default . .dot -}} + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + certificateRefs: + - kind: Secret + group: "" + name: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} + mode: Terminate +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + - name: HTTPS-443 + port: 443 + protocol: HTTPS + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create Listener entry in the Gateway resource +*/}} +{{- define "gwapi.config.listener" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $port := default 80 $service.exposedPort -}} + - name: {{ $protocol }}-{{ $port }} + port: {{ $port }} +{{- if $service.exposedProtocol }} + protocol: {{ upper $service.exposedProtocol }} +{{- else }} + protocol: HTTP +{{- end }} + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + allowedRoutes: + namespaces: + from: All +{{- if eq $service.protocol "tcp" }} + kinds: + - kind: TCPRoute +{{- else if eq $service.protocol "tcp" }} + kinds: + - kind: UDPRoute +{{- end }} + {{- include "gwapi.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + +{{/* + Create *Route entry for the Gateway-API +*/}} +{{- define "gwapi.config.route" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) -}} +{{- $namespace := default "istio-ingress" $dot.Values.global.ingress.namespace -}} +{{- $path := default "/" $service.path -}} +{{- if eq $protocol "udp" -}} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: UDPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: +{{- if eq $gateway "-" }} + - name: {{ $baseaddr }}-gateway +{{- else }} + - name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: udp-{{ $service.exposedPort }} + rules: + - backendRefs: + - name: {{ $service.name }} + port: {{ $service.port }} +{{- else if eq $protocol "tcp" }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: +{{- if eq $gateway "-" }} + - name: {{ $baseaddr }}-gateway +{{- else }} + - name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: tcp-{{ $service.exposedPort }} + rules: + - backendRefs: + - name: {{ $service.name }} + port: {{ $service.port }} +{{- else if eq $protocol "http" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-http-route +spec: + parentRefs: +{{- if eq $gateway "-" }} + - name: {{ $baseaddr }}-gateway +{{- else }} + - name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + sectionName: {{ include "common.ingress._gatewayHTTPSListener" (dict "dot" $dot) }} +{{- else }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} +{{- end }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - backendRefs: + - name: {{ $service.name }} + port: {{ $service.port }} + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-redirect-route +spec: + parentRefs: +{{- if eq $gateway "-" }} + - name: {{ $baseaddr }}-gateway +{{- else }} + - name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- end }} +{{- end }} {{- end -}} + +{{/* + Create GW-API Ingress resources per defined service +*/}} +{{- define "common.gwapiIngress" -}} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: {{ $baseaddr }}-gateway +spec: + gatewayClassName: {{ $dot.Values.global.serviceMesh.engine }} + listeners: +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -337,6 +718,9 @@ spec: */}} {{- define "common.nginxIngress" -}} {{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{ if eq (include "common.ingress._protocol" (dict "dot" .)) "http" }} +{{ $baseaddr := required "baseaddr" .baseaddr }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -350,21 +734,21 @@ metadata: heritage: {{ $dot.Release.Service }} spec: rules: - {{ include "ingress.config.port" $dot | trim }} -{{- if $dot.Values.ingress.tls }} + {{ include "ingress.config.port" . | trim }} +{{- if $dot.Values.ingress.tls }} tls: {{ toYaml $dot.Values.ingress.tls | indent 4 }} -{{- end -}} -{{- if $dot.Values.ingress.config -}} -{{- if $dot.Values.ingress.config.tls }} +{{- end -}} +{{- if $dot.Values.ingress.config -}} +{{- if $dot.Values.ingress.config.tls }} tls: - hosts: - {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} + - {{ include "ingress.config.host" (dict "dot" . "baseaddr" $baseaddr) }} secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }} -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -381,22 +765,29 @@ spec: | true | true | any | ingress | | true | false | true | ingress | - If ServiceMesh (Istio) is enabled the respective resources are created: - - Gateway + If ServiceMesh (Ingress-Provider: Istio) is enabled the respective resources + are created: + - Gateway (optional) - VirtualService + If ServiceMesh (Ingress-Provider: GatewayAPI) is enabled the respective resources + are created: + - Gateway (optional) + - HTTPRoute, TCPRoute, UDPRoute (depending) + If ServiceMesh is disabled the standard Ingress resource is creates: - Ingress */}} {{- define "common.ingress" -}} {{- $dot := default . .dot -}} +{{- $provider := include "common.ingress._provider" (dict "dot" $dot) -}} {{- if (include "common.ingress._enabled" (dict "dot" $dot)) }} -{{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} -{{ include "common.istioIngress" (dict "dot" $dot) }} -{{- end -}} -{{- else -}} +{{- if eq $provider "ingress" -}} {{ include "common.nginxIngress" (dict "dot" $dot) }} +{{- else if eq $provider "istio" -}} +{{ include "common.istioIngress" (dict "dot" $dot) }} +{{- else if eq $provider "gw-api" -}} +{{ include "common.gwapiIngress" (dict "dot" $dot) }} {{- end -}} {{- end -}} {{- end -}} diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index d0219617c7..82c8ccd056 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -35,9 +35,6 @@ dependencies: version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: certInitializer - version: ~13.x-0 - repository: 'file://../certInitializer' - name: repositoryGenerator version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index 49ce0ef76a..e7520aeed6 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -21,11 +21,5 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: server-block.conf: |- -{{ if .Values.global.aafEnabled }} -{{ .Values.nginx.serverBlock.https | indent 4 }} -{{ else }} {{ .Values.nginx.serverBlock.http | indent 4 }} - - -{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml index 05e09cb696..43eb92dd1e 100644 --- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -64,7 +64,6 @@ spec: securityContext: privileged: true {{- end }} - {{ include "common.certInitializer.initContainer" . | nindent 8 }} containers: - name: {{ include "common.name" . }}-nginx @@ -85,7 +84,6 @@ spec: - name: nginx-server-block mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} - {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - name: {{ include "common.name" . }}-elasticsearch image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -172,4 +170,3 @@ spec: configMap: name: {{ include "common.fullname" . }}-nginx-server-block {{- end }} - {{ include "common.certInitializer.volumes" . | nindent 8 }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index 6c46f32c96..c3352ae424 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -17,7 +17,6 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 302 clusterName: cluster.local @@ -260,30 +259,6 @@ service: ## Provide functionality to use RBAC ## -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: elasticsearch-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "elastic" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.elastic" - fqi: "elastic@elastic.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd {{ .Values.credsPath }}; - mkdir -p certs; - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; - ################################################################# # subcharts configuration defaults. ################################################################# diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index 6605f519f1..166b4172d3 100644 --- a/kubernetes/common/etcd-init/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 4b8e2e5fdd..a517264d57 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -98,6 +98,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml index 6ccfb3e5d7..721bcb70f3 100644 --- a/kubernetes/common/etcd-init/values.yaml +++ b/kubernetes/common/etcd-init/values.yaml @@ -73,6 +73,12 @@ resources: memory: 20Mi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: etcd-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index f4d9c2d4af..fe134578df 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index e638415548..a899d93a28 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -101,6 +101,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 1d699bd5ae..2d5de97e7c 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -136,6 +136,12 @@ resources: memory: 20Mi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: mariadb-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml index 4bc06f9fa5..88336f49c3 100644 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ b/kubernetes/common/network-name-gen/Chart.yaml @@ -33,4 +33,7 @@ dependencies: - name: mariadb-init version: ~13.x-0 repository: 'file://../mariadb-init' - condition: global.mariadbGalera.globalCluster \ No newline at end of file + condition: global.mariadbGalera.globalCluster + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml index 71b7846dc9..940132f477 100644 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ b/kubernetes/common/network-name-gen/templates/deployment.yaml @@ -102,6 +102,7 @@ spec: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} {{- if .Values.affinity }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index 8b8848b8aa..e3fdb80e71 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -72,6 +72,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nengdb-init + serviceAccount: + nameOverride: nengdb-init ################################################################# # Application configuration defaults. diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 34f5352ea8..59008d37bb 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index 15260f0b16..09c21fe9e5 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -102,6 +102,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d6d51f0b51..1b9e72b8d7 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -90,6 +90,12 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: postgres-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}-update-config' \ No newline at end of file diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 09a799e713..1da838a5b9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -147,8 +147,8 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "readinessImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.dbcClient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dbcClientImage") .) }} +{{- define "repositoryGenerator.image.drProvClient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "drProvClientImage") .) }} {{- end -}} {{- define "repositoryGenerator.image.quitQuit" -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index b89c2b2bf6..2c94c29b15 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -41,7 +41,7 @@ global: postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - dbcClientImage: onap/dmaap/dbc-client:2.0.11 + drProvClientImage: onap/dmaap/datarouter-prov-client:2.1.14 quitQuitImage: onap/oom/readiness:4.1.0 # Default credentials @@ -75,5 +75,5 @@ imageRepoMapping: postgresImage: dockerHubRepository readinessImage: repository dcaePolicySyncImage: repository - dbcClientImage: repository + drProvClientImage: repository quitQuitImage: repository diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index f0ff7707ec..b44f45610a 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -266,6 +266,8 @@ postgres-init: pgDatabase: cpsdb pgDataPath: data pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-postgres-init # pgPrimaryPassword: password # pgUserPassword: password diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl index afd3c38f31..bb35e80848 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2019 AT&T -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,14 +33,10 @@ The template always produces a configMap containing the microservice's initial configuration data. (See the documentation for dcaegen2-services-common.microserviceDeployment for more details.) -If the microservice is using one or more Data Router (DR) feeds, the +If the microservice is publishing to one or more Data Router (DR) feeds, the template produces a configMap containing the information needed to provision the feed(s). An init container performs the provisioning. -If the microservice acts as a DR publisher for one or more feeds, the -template produces a configMap containing the information needed to -provision the publisher(s). An init container performs the provisioning. - If the microservice acts as a DR subscriber for one or more feeds, the template produces a configMap containing the information needed to provision the subscribeer(s). An init container performs the provisioning. @@ -70,22 +66,22 @@ metadata: data: {{- range $i, $feed := .Values.drFeedConfig }} feedConfig-{{$i}}.json: |- - {{ $feed | toJson | indent 2 }} - {{- end }} -{{- end }} - -{{- if .Values.drPubConfig }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-drpub-config - namespace: {{ include "common.namespace" . }} - labels: {{ include "common.labels" . | nindent 6 }} -data: - {{- range $i, $drpub := .Values.drPubConfig }} - drpubConfig-{{$i}}.json: |- - {{ $drpub | toJson | indent 2 }} + { + "name": {{ $feed.feedName | quote }}, + "version": {{ $feed.feedVersion | quote }}, + "description": {{ $feed.feedDescription | default "None" | quote }}, + "authorization": { + "classification": {{ $feed.classification | quote }}, + "endpoint_addrs": [ + ], + "endpoint_ids": [ + { + "id": {{ $feed.publisher.username | quote }}, + "password": {{ $feed.publisher.password | quote }} + } + ] + } + } {{- end }} {{- end }} @@ -100,7 +96,23 @@ metadata: data: {{- range $i, $drsub := .Values.drSubConfig }} drsubConfig-{{$i}}.json: |- - {{ $drsub | toJson | indent 2 }} + { + "feed": { + "name": {{ $drsub.feedName | quote }}, + "version": {{ $drsub.feedVersion | quote }} + }, + "delivery": { + "url": {{ $drsub.deliveryURL | quote }}, + "user": {{ $drsub.username | quote }}, + "password": {{ $drsub.userpwd | quote }}, + "use100": {{ $drsub.use100 | default false }} + }, + "metadataOnly": {{ $drsub.metadataOnly | default false }}, + "groupid": {{ $drsub.groupId | default 0 }}, + "follow_redirect": {{ $drsub.followRedirect | default true }}, + "privileged_subscriber": {{ $drsub.privilegedSubscriber | default false }}, + "decompress": {{ $drsub.decompress | default false }} + } {{- end }} {{- end }} {{- end }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index e7f9627a3d..b0c76a9b3a 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -240,7 +240,7 @@ post-processing. {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} {{- $policyRls := default $commonRelease $policy.policyRelease -}} -{{- $drFeedConfig := default "" .Values.drFeedConfig -}} +{{- $drNeedProvisioning := or .Values.drFeedConfig .Values.drSubConfig -}} {{- $dcaeName := print (include "common.fullname" .) }} {{- $dcaeLabel := (dict "dcaeMicroserviceName" $dcaeName) -}} {{- $dot := . -}} @@ -310,7 +310,7 @@ spec: resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config - name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }} + name: {{ ternary "app-config-input" "app-config" (not $drNeedProvisioning) }} - mountPath: /app-config-input name: app-config-input {{- if $logDir }} diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index b9e7a39ecb..26bbd37490 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -89,11 +89,12 @@ certificates: create: true # Dependencies +# Waiting for dmaap-dr-node (which depends on dmaap-dr-prov) +# to be sure that we can provision the DR feed that's needed readinessCheck: wait_for: containers: - - dmaap-bc - - dmaap-provisioning-job + - dmaap-dr-node - message-router # Probe Configuration @@ -166,10 +167,10 @@ applicationConfig: streams_publishes: PM_MEAS_FILES: dmaap_info: - publisher_id: ${DR_FILES_PUBLISHER_ID_0} + publisher_id: "dummy_id" location: loc00 - log_url: ${DR_LOG_URL_0} - publish_url: ${DR_FILES_PUBLISHER_URL_0} + log_url: ${DR_FEED_LOGURL_0} + publish_url: ${DR_FEED_PUBURL_0} username: ${DR_USERNAME} password: ${DR_PASSWORD} type: data_router @@ -187,24 +188,17 @@ applicationEnv: # DataRouter Feed Configuration drFeedConfig: - feedName: bulk_pm_feed - owner: dcaecm feedVersion: "0.0" - asprClassification: unclassified + classification: unclassified feedDescription: DFC Feed Creation - -# DataRouter Publisher Configuration -drPubConfig: - - feedName: bulk_pm_feed - username: ${DR_USERNAME} - userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 + publisher: + username: ${DR_USERNAME} + password: ${DR_PASSWORD} # ConfigMap Configuration for Feed, Dr_Publisher volumes: - name: feeds-config path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs # Resource Limit Flavor -By Default Using Small flavor: small diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index 1aee8c9a1b..ab23b54e06 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -58,13 +58,16 @@ log: logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # Dependencies +# Depend on the datafile-collector, which guarantees that +# the DR feed that pm-mapper susbscribes to will be created +# already by the datafile-collector DMaaP provisioning init +# container. Also guarantees that DR provisioning will be +# available for pm-mapper initContainter to create the +# subscription to the feed. readinessCheck: wait_for: containers: - - dmaap-bc - - dmaap-provisioning-job - dcae-datafile-collector - - message-router # Probe Configuration readiness: @@ -120,7 +123,7 @@ applicationConfig: dmaap_publisher: type: message_router dmaap_info: - client_id: ${MR_FILES_PUBLISHER_CLIENT_ID_0} + client_id: "dummy_id" location: san-francisco client_role: org.onap.dcae.pmPublisher topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS @@ -128,7 +131,7 @@ applicationConfig: dmaap_subscriber: type: data_router dmaap_info: - subscriber_id: ${DR_FILES_SUBSCRIBER_ID_0} + subscriber_id: "dummy_id" decompress: true privileged: true username: ${DR_USERNAME} @@ -141,28 +144,18 @@ applicationEnv: #Temporary Dummy CBS Port Value until internal SDK library is updated CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' -# DataRouter Feed Configuration -drFeedConfig: - - feedName: bulk_pm_feed - owner: dcaecm - feedVersion: "0.0" - asprClassification: unclassified - feedDescription: DFC Feed Creation - # DataRouter Subscriber Configuration drSubConfig: - feedName: bulk_pm_feed + feedVersion: "0.0" decompress: true username: ${DR_USERNAME} userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 privilegedSubscriber: true deliveryURL: http://dcae-pm-mapper:8081/delivery -# ConfigMap Configuration for Dr Feed, Subscriber, MR Topics +# ConfigMap Configuration for DR Subscriber volumes: - - name: feeds-config - path: /opt/app/config/feeds - name: drsub-config path: /opt/app/config/dr_subs diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml index e2ef7bdf3b..f449245f5d 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml @@ -84,6 +84,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index eef6755385..d6815fdee1 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.13 +image: onap/dmaap/datarouter-node:2.1.14 pullPolicy: Always # default number of instances diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index af855c7640..ba81f768e6 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -38,7 +38,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.13 +image: onap/dmaap/datarouter-prov:2.1.14 pullPolicy: Always # default number of instances @@ -112,6 +112,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: dmaap-dr-mariadb-init + serviceAccount: + nameOverride: dmaap-dr-mariadb-init # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml index 021eb02e45..df7f2c0c72 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml @@ -32,4 +32,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' + repository: '@local' \ No newline at end of file diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml index 40c3d872ff..4ede9a15fd 100644 --- a/kubernetes/holmes/values.yaml +++ b/kubernetes/holmes/values.yaml @@ -87,6 +87,8 @@ postgres-init: # pgPrimaryPassword: password # pgUserPassword: password # pgRootPassword: password + serviceAccount: + nameOverride: holmes-postgres-init holmes-engine-mgmt: config: diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml index bfbff215db..64cd894799 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml @@ -46,7 +46,7 @@ spec: - {{ index .Values "mariadb-galera" "nameOverride" }} {{- else }} - --job-name - - {{ include "common.release" . }}-{{ include "common.name" . }}-config-job + - {{ include "common.release" . }}-etsicatalog-db-config-job {{- end }} env: - name: NAMESPACE diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml index c2b0dcff7d..d5814bc35b 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml @@ -76,7 +76,9 @@ mariadb-init: userCredentialsExternalSecret: *dbSecretName mysqlDatabase: *mysqlDbName # nameOverride should be the same with common.name - nameOverride: modeling-etsicatalog + nameOverride: etsicatalog-db + serviceAccount: + nameOverride: etsicatalog-db ################################################################# # Application configuration defaults. diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml index 53c66f7bfa..d42c99388d 100644 --- a/kubernetes/msb/components/msb-eag/Chart.yaml +++ b/kubernetes/msb/components/msb-eag/Chart.yaml @@ -25,9 +25,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~13.x-0 - repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml index 30c0a80209..62bbf4272a 100644 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml @@ -21,11 +21,4 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} + diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml index cbab98b9fa..ee6db2dc30 100644 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml @@ -24,7 +24,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -49,13 +48,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,17 +65,11 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -90,15 +83,9 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index 836673ffb1..d66c4a8e13 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -18,36 +18,6 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-eag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-eag - fqi: msb-eag@msb-eag.onap.org - fqi_namespace: org.onap.msb-eag - public_fqdn: msb-eag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-eag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-eag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '84' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-eag-ui" name: "msb-eag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml index f7cb95b81e..50fa020c8b 100644 --- a/kubernetes/msb/components/msb-iag/Chart.yaml +++ b/kubernetes/msb/components/msb-iag/Chart.yaml @@ -25,9 +25,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~13.x-0 - repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml index 30c0a80209..7214c8a95f 100644 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml @@ -21,11 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml index cbab98b9fa..ee6db2dc30 100644 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml @@ -24,7 +24,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -49,13 +48,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,17 +65,11 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -90,15 +83,9 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index 004a1a7840..5c455d8984 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -18,36 +18,6 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-iag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-iag - fqi: msb-iag@msb-iag.onap.org - fqi_namespace: org.onap.msb-iag - public_fqdn: msb-iag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-iag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-iag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '83' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-iag-ui" name: "msb-iag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 6caa8d2fa0..3591d94cc1 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -88,6 +88,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nbi-config + serviceAccount: + nameOverride: nbi-config mongo: nameOverride: nbi-mongo diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml index c04d397a9a..eeb5fc453b 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -22,6 +22,20 @@ global: # enable all component's Ingress interfaces enable_all: true # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + virtualhost: # Default Ingress base URL # can be overwritten in component by setting ingress.baseurlOverride diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index ac3979ea9d..6d94f9912e 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -20,6 +20,19 @@ global: ingress: enabled: true enable_all: true + # Provider: ingress, istio, gw-api + provider: ingress + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: nginx + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + cassandra: enabled: true mariadb-galera: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index be1c4e76c1..119f5e7c22 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -138,6 +138,19 @@ global: # enable all component's Ingress interfaces enable_all: false + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + # default Ingress base URL and preAddr- and postAddr settings # Ingress URLs result: # . @@ -162,7 +175,7 @@ global: # tls: # secret: 'my-ingress-cert' - # optional: Namespace of the Istio IngressGateway + # optional: Namespace of the Istio IngressGateway or Gateway-API # only valid for Istio Gateway (ServiceMesh enabled) namespace: istio-ingress diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 1af6391b00..00d108de23 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -141,6 +141,8 @@ etcd-init: keyPrefix: conductor flavor: *etcd-flavor resources: *etcd-resources + serviceAccount: + nameOverride: *job-name # Python doesn't support well dollar sign in password passwordStrengthOverride: basic diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index b06308c473..5d50ab3275 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -77,6 +77,7 @@ spec: cpu: 200m memory: 200Mi {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index b06bcaedf9..eb0958c3f0 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -93,6 +93,7 @@ spec: cpu: 200m memory: 200Mi {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index b9abef8462..fc8b8fa5e3 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -81,6 +81,7 @@ spec: valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}} resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-cqlshrc configMap: diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index b6dc32b096..e1d24b10fe 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -159,6 +159,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index a36b97d39c..6c6e33a951 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -91,6 +91,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 9a00798545..f1a428fb33 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -389,6 +389,8 @@ kafkaUser: *kafkaUser # dependency / sub-chart configuration network-name-gen: enabled: true + serviceAccount: + nameOverride: sdnc-name-gen mariadb-galera: &mariadbGalera nameOverride: &sdnc-db sdnc-db config: &mariadbGaleraConfig diff --git a/kubernetes/so/components/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index 155814d604..7be44c4201 100644 --- a/kubernetes/so/components/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml @@ -176,6 +176,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml index ba1e385a12..c084d63cba 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml @@ -69,6 +69,7 @@ spec: {{ include "common.waitForJobContainer" . | indent 6 | trim }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index a42090f998..97bf9c105d 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -123,3 +123,4 @@ resources: cpu: 2 memory: 1Gi unlimited: {} + diff --git a/kubernetes/uui/components/uui-server/templates/job.yaml b/kubernetes/uui/components/uui-server/templates/job.yaml index 62cf7bb967..4ab3c5f1c0 100644 --- a/kubernetes/uui/components/uui-server/templates/job.yaml +++ b/kubernetes/uui/components/uui-server/templates/job.yaml @@ -61,6 +61,7 @@ spec: {{ include "common.waitForJobContainer" . | indent 6 | trim }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: