From: vladimir turok Date: Thu, 27 Jul 2023 14:28:36 +0000 (+0200) Subject: [OOM] Fixing k8s ServiceAccounts X-Git-Tag: 13.0.0-DOC~23^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=d804418c890dde93bff26125b8cf1a9fd7fc82d1 [OOM] Fixing k8s ServiceAccounts Adding service account for the jobs Cleanup MSB, ES and other common charts from AAF dependencies Issue-ID: OOM-3199 Issue-ID: OOM-3114 Issue-ID: OOM-3116 Change-Id: I55bf80876c9fb3b110e538ed1a5504e0dc1d4e1a Signed-off-by: vladimir turok --- diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml index fcece0e3f5..34f3ad5eea 100644 --- a/kubernetes/common/cert-wrapper/values.yaml +++ b/kubernetes/common/cert-wrapper/values.yaml @@ -15,3 +15,5 @@ certInitializer: nameOverride: cert-initializer createCertsCM: true + serviceAccount: + nameOverride: cert-initializer \ No newline at end of file diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml index e1bb478d8a..d70b1de52b 100644 --- a/kubernetes/common/certInitializer/Chart.yaml +++ b/kubernetes/common/certInitializer/Chart.yaml @@ -29,3 +29,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml index 84a3e87098..3120455300 100644 --- a/kubernetes/common/certInitializer/templates/job.yaml +++ b/kubernetes/common/certInitializer/templates/job.yaml @@ -36,6 +36,7 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }} - name: ingress-scripts mountPath: /ingress + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }} - name: localtime hostPath: diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 747c94f4d1..0fde2cf532 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -70,3 +70,9 @@ envVarToCheck: cadi_keystore_password_p12 # We had to move this CM to a separate chart to reduce the total size of our charts # as it exceeds the default helm limits. certsCMName: '{{ include "common.release" . }}-cert-wrapper-certs' + +#Pods Service Account +serviceAccount: + nameOverride: certinitializer + roles: + - read \ No newline at end of file diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index d0219617c7..82c8ccd056 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -35,9 +35,6 @@ dependencies: version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: certInitializer - version: ~13.x-0 - repository: 'file://../certInitializer' - name: repositoryGenerator version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index 49ce0ef76a..e7520aeed6 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -21,11 +21,5 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: server-block.conf: |- -{{ if .Values.global.aafEnabled }} -{{ .Values.nginx.serverBlock.https | indent 4 }} -{{ else }} {{ .Values.nginx.serverBlock.http | indent 4 }} - - -{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml index 05e09cb696..43eb92dd1e 100644 --- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -64,7 +64,6 @@ spec: securityContext: privileged: true {{- end }} - {{ include "common.certInitializer.initContainer" . | nindent 8 }} containers: - name: {{ include "common.name" . }}-nginx @@ -85,7 +84,6 @@ spec: - name: nginx-server-block mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} - {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - name: {{ include "common.name" . }}-elasticsearch image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -172,4 +170,3 @@ spec: configMap: name: {{ include "common.fullname" . }}-nginx-server-block {{- end }} - {{ include "common.certInitializer.volumes" . | nindent 8 }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index 6c46f32c96..c3352ae424 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -17,7 +17,6 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 302 clusterName: cluster.local @@ -260,30 +259,6 @@ service: ## Provide functionality to use RBAC ## -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: elasticsearch-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "elastic" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.elastic" - fqi: "elastic@elastic.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd {{ .Values.credsPath }}; - mkdir -p certs; - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; - ################################################################# # subcharts configuration defaults. ################################################################# diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index 6605f519f1..166b4172d3 100644 --- a/kubernetes/common/etcd-init/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 4b8e2e5fdd..a517264d57 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -98,6 +98,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml index 6ccfb3e5d7..721bcb70f3 100644 --- a/kubernetes/common/etcd-init/values.yaml +++ b/kubernetes/common/etcd-init/values.yaml @@ -73,6 +73,12 @@ resources: memory: 20Mi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: etcd-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index f4d9c2d4af..fe134578df 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index e638415548..a899d93a28 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -101,6 +101,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 1d699bd5ae..2d5de97e7c 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -136,6 +136,12 @@ resources: memory: 20Mi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: mariadb-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml index 4bc06f9fa5..88336f49c3 100644 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ b/kubernetes/common/network-name-gen/Chart.yaml @@ -33,4 +33,7 @@ dependencies: - name: mariadb-init version: ~13.x-0 repository: 'file://../mariadb-init' - condition: global.mariadbGalera.globalCluster \ No newline at end of file + condition: global.mariadbGalera.globalCluster + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml index 71b7846dc9..940132f477 100644 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ b/kubernetes/common/network-name-gen/templates/deployment.yaml @@ -102,6 +102,7 @@ spec: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} {{- if .Values.affinity }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index 8b8848b8aa..e3fdb80e71 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -72,6 +72,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nengdb-init + serviceAccount: + nameOverride: nengdb-init ################################################################# # Application configuration defaults. diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 34f5352ea8..59008d37bb 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -25,4 +25,7 @@ dependencies: repository: 'file://../common' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index 15260f0b16..09c21fe9e5 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -102,6 +102,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d6d51f0b51..1b9e72b8d7 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -90,6 +90,12 @@ resources: memory: 2Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: postgres-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}-update-config' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index f0ff7707ec..b44f45610a 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -266,6 +266,8 @@ postgres-init: pgDatabase: cpsdb pgDataPath: data pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-postgres-init # pgPrimaryPassword: password # pgUserPassword: password diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml index e2ef7bdf3b..f449245f5d 100644 --- a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml @@ -84,6 +84,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index af855c7640..e1914321c1 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -112,6 +112,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: dmaap-dr-mariadb-init + serviceAccount: + nameOverride: dmaap-dr-mariadb-init # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml index 021eb02e45..df7f2c0c72 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml @@ -32,4 +32,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' + repository: '@local' \ No newline at end of file diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml index 40c3d872ff..4ede9a15fd 100644 --- a/kubernetes/holmes/values.yaml +++ b/kubernetes/holmes/values.yaml @@ -87,6 +87,8 @@ postgres-init: # pgPrimaryPassword: password # pgUserPassword: password # pgRootPassword: password + serviceAccount: + nameOverride: holmes-postgres-init holmes-engine-mgmt: config: diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml index bfbff215db..64cd894799 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml @@ -46,7 +46,7 @@ spec: - {{ index .Values "mariadb-galera" "nameOverride" }} {{- else }} - --job-name - - {{ include "common.release" . }}-{{ include "common.name" . }}-config-job + - {{ include "common.release" . }}-etsicatalog-db-config-job {{- end }} env: - name: NAMESPACE diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml index c2b0dcff7d..d5814bc35b 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml @@ -76,7 +76,9 @@ mariadb-init: userCredentialsExternalSecret: *dbSecretName mysqlDatabase: *mysqlDbName # nameOverride should be the same with common.name - nameOverride: modeling-etsicatalog + nameOverride: etsicatalog-db + serviceAccount: + nameOverride: etsicatalog-db ################################################################# # Application configuration defaults. diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml index 53c66f7bfa..d42c99388d 100644 --- a/kubernetes/msb/components/msb-eag/Chart.yaml +++ b/kubernetes/msb/components/msb-eag/Chart.yaml @@ -25,9 +25,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~13.x-0 - repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml index 30c0a80209..62bbf4272a 100644 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml @@ -21,11 +21,4 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} + diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml index cbab98b9fa..ee6db2dc30 100644 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml @@ -24,7 +24,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -49,13 +48,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,17 +65,11 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -90,15 +83,9 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index 836673ffb1..d66c4a8e13 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -18,36 +18,6 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-eag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-eag - fqi: msb-eag@msb-eag.onap.org - fqi_namespace: org.onap.msb-eag - public_fqdn: msb-eag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-eag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-eag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '84' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-eag-ui" name: "msb-eag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml index f7cb95b81e..50fa020c8b 100644 --- a/kubernetes/msb/components/msb-iag/Chart.yaml +++ b/kubernetes/msb/components/msb-iag/Chart.yaml @@ -25,9 +25,6 @@ dependencies: - name: repositoryGenerator version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~13.x-0 - repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml index 30c0a80209..7214c8a95f 100644 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml @@ -21,11 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml index cbab98b9fa..ee6db2dc30 100644 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml @@ -24,7 +24,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -49,13 +48,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,17 +65,11 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -90,15 +83,9 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index 004a1a7840..5c455d8984 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -18,36 +18,6 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-iag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-iag - fqi: msb-iag@msb-iag.onap.org - fqi_namespace: org.onap.msb-iag - public_fqdn: msb-iag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-iag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-iag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '83' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-iag-ui" name: "msb-iag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 6caa8d2fa0..3591d94cc1 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -88,6 +88,8 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nbi-config + serviceAccount: + nameOverride: nbi-config mongo: nameOverride: nbi-mongo diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 1af6391b00..00d108de23 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -141,6 +141,8 @@ etcd-init: keyPrefix: conductor flavor: *etcd-flavor resources: *etcd-resources + serviceAccount: + nameOverride: *job-name # Python doesn't support well dollar sign in password passwordStrengthOverride: basic diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index b06308c473..5d50ab3275 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -77,6 +77,7 @@ spec: cpu: 200m memory: 200Mi {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index b06bcaedf9..eb0958c3f0 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -93,6 +93,7 @@ spec: cpu: 200m memory: 200Mi {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index b9abef8462..fc8b8fa5e3 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -81,6 +81,7 @@ spec: valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}} resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-cqlshrc configMap: diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index b6dc32b096..e1d24b10fe 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -159,6 +159,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index a36b97d39c..6c6e33a951 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -91,6 +91,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 9a00798545..f1a428fb33 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -389,6 +389,8 @@ kafkaUser: *kafkaUser # dependency / sub-chart configuration network-name-gen: enabled: true + serviceAccount: + nameOverride: sdnc-name-gen mariadb-galera: &mariadbGalera nameOverride: &sdnc-db sdnc-db config: &mariadbGaleraConfig diff --git a/kubernetes/so/components/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index 155814d604..7be44c4201 100644 --- a/kubernetes/so/components/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml @@ -176,6 +176,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml index ba1e385a12..c084d63cba 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml @@ -69,6 +69,7 @@ spec: {{ include "common.waitForJobContainer" . | indent 6 | trim }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index a42090f998..97bf9c105d 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -123,3 +123,4 @@ resources: cpu: 2 memory: 1Gi unlimited: {} + diff --git a/kubernetes/uui/components/uui-server/templates/job.yaml b/kubernetes/uui/components/uui-server/templates/job.yaml index 62cf7bb967..4ab3c5f1c0 100644 --- a/kubernetes/uui/components/uui-server/templates/job.yaml +++ b/kubernetes/uui/components/uui-server/templates/job.yaml @@ -61,6 +61,7 @@ spec: {{ include "common.waitForJobContainer" . | indent 6 | trim }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: